How much is a scan of your passport worth to a cybercriminal?
In late September 2018, Comparitech searched listings on several illicit marketplaces to find out how much passports are worth on the dark web. Those black markets include Dream Market, Berlusconi Market, Wall Street Market, and Tochka Free Market.
This a typical listing for a passport scan that includes a selfie:
Here are our key findings:
- The average price of a digital passport scan is $14.71.
- If proof of address or proof of identification —a selfie, utility bill and/or driver’s license—is added to a passport scan, the average price jumps to $61.27.
- Australian passport scans were the most common, and yet, the most expensive ($32).
- The average price of a real, physical passport is $13,567.
- The average price of a counterfeit, physical passport is $1,478.
Passport scans, be they forged or real, are often accompanied by other forms of identification, typically a utility bill, selfie of the ID card owner holding up their ID, and/or a driver’s license. These add-ons are reflected in the price—they cost significantly more than just a digital scan. The reason for this is because multiple forms of ID are usually required to pass proof-of-address and proof-of-identification checks on websites. These checks are often part of the account recovery process in which a user has somehow lost access to their account and must prove who they are to regain access.
The bulk of our analysis focused on digital scans and images of real passports. In total, we found 48 unique listings for real passports scans, 38 of which were not sold with any accompanying proof of ID or address. Those 48 spanned 20 countries, the prices of which you can view in this table:
Passport country Price Notes Australia $10.40 includes driver's license Australia $37.65 Australia $7.91 Australia $36.40 Australia $37.99 Australia $27.36 Australia $20.34 Australia $94.21 includes secondary ID Belgium $10.39 Canada $102.96 includes selfie China $18.72 China $1.04 sold in pack of 100 China $10.40 sold in pack of 10 China $12.23 EU (random) $5.17 Finland $8.32 France $0.61 (sold in pack of 40) France $18.99 includes utility bill France $7.91 France $11.66 France $124.80 includes utility bill and selfie France $10.40 sold in pack of 10 Germany $8.31 Germany $12.48 Ireland $7.27 Italy $14.68 sold in pack of 10 Latvia $12.48 Mexico $28.81 Poland $12.68 Poland $33.10 Romania $12.48 Russia $10.00 Russia $11.00 sold in pack of 10 Spain $10.40 Spain $14.68 UK $51.99 includes driver's license UK $14.76 includes utility bill UK $7.91 UK $18.25 sold in pack of 10 UK $17.68 UK $24.47 UK $12.48 UK $61.19 includes utility bill + selfie Ukraine $11.00 sold in pack of 10 USA $6.11 USA $8.32 USA $115.00 includes selfie USA $18.36 includes SSN and address
Australia and UK passport scans were the most frequently listed, and Australian scans were the most expensive on average (US$32). We found no consistent pattern to the prices according to country; they did not seem to be based on scarcity or the power of the country’s passport. A wide range of vendors sell passport scans, but a small handful seem to specialize in them.
Types of passports for sale on the dark web
Passports sold on the dark web come in a few forms:
- Editable Photoshop templates used for making fake passport scans. These cost very little and are available for almost any Western country. They make up the majority of marketplace listings when searching for „passport“.
- Digital passport scans. These real scans of actual passports cost around $10 each and are often sold in bulk. They are available for several countries and are fairly common.
- Physical passport forgeries. We found listings for counterfeit passport forgeries for a handful of European countries. They typically cost north of $1,000.
- Real, physical passports. These are the real deal (according to the listing), so they are not common nor cheap. Most of them cost more than $12,000.
All of these are sold on the dark web for cryptocurrency, typically Bitcoin or Monero. The prices in the table were accessed and converted to US dollars on September 24 and 25, 2018.
How do criminals use passport scans?
Some of the most common targets for criminals who purchase passport scans include cryptocurrency exchanges, payment systems, and betting websites.
While a company may be referred to in a marketplace listing, it does not necessarily imply that it is vulnerable or that accounts have been compromised.
Some banks and other financial institutions only require two pieces of identification to open a new account. With a stolen passport and driver’s license, for example, fraudsters can open accounts and collect the signup rewards in the victim’s name, or use the account as a mule to cash out on other illegal transactions. This is called a “bank drop” scam, and it can implicate the victim in other crimes.
We surmise that real scans are more effective than Photoshopped counterfeits for bank drop scams.
Account recovery scams and bypassing 2FA
In this scam, hackers use impersonation and social engineering to bypass two-factor authentication and abuse the account recovery process used on many sites. Account recovery often requires scanning or taking a photo of a physical ID, such as a passport.
Scammers can modify ID scans to impersonate account holders on a number of websites that require photo ID for account verification and recovery.
Here’s an example of how a passport scan might be used in an account recovery scam:
- The target has an account with a cryptocurrency exchange. They’ve set up two-factor authentication on their account, so a code is sent to an app on their phone to verify logins.
- Through some other means, the scammer steals the user’s password (perhaps through phishing or a data breach). But because 2FA is enabled on the account, they can’t get in.
- Instead, the scammer poses as the victim and approaches the cryptocurrency exchange, saying they’ve lost access to their phone and cannot get the authentication PIN, and thus cannot log in.
- The cryptocurrency exchange requests the account holder send a scan of their ID to prove their identity before resetting the 2FA on the account. In many cases, companies will require the person take a selfie while holding the ID, hence the higher price for passport scans with selfies.
- The scammer modifies the scans from the dark web as necessary to match the victim’s personal details, then sends it to the exchange, still posing as the victim.
- Upon receipt of proof of identity, the cryptocurrency exchange resets or removes the 2FA on the account, allowing the hacker to access and drain the victim’s crypto assets. Hackers routinely change the passwords and email addresses associated with accounts to make it harder for the account owner to regain control.
Many black market vendors offer to alter the information shown in these documents, scans, and selfies to match whatever name and other details are provided by the buyer. The buyer can sometimes request passports of people with a certain sex, hair color, skin color, eye color, and approximate date of birth.
When using Photoshop templates, criminals simply enter in the info they want and drop in their own photo. Passport numbers are sequential and thus not hard to guess a legitimate one, and most companies who request proof of ID won’t actually verify whether the passport number matches the passport holder.
All of the physical passports we found for sale on the dark web were for European countries. Physical passports sold on the dark web come in two forms: genuine and forgeries. They can be used as identification for any number of fraud-related crimes as well as illegal immigration, human trafficking, and smuggling.
Authentic, state-issued passports are hard to come by and cost a lot, ranging from $8,216 (Germany) to $17,116 (UK). The average price of the eight supposedly genuine passports was $13,567. At least one vendor claims these passports came from “our corrupt immigration police contacts,” though we have no way of verifying this. In many cases buyers are given the option to specify what details are included in the passport, including stamps for specific countries.
Real, physical passports Price Austria $14684 Czech $12237 Germany $8216 Italy $14684 Poland $12237 Portugal $14684 UK $17116 UK $14679
Forgeries cost about one-tenth of the price, but they still cost in excess of $1,000. The average price of the six vendors selling forgeries was $1,478. Buyers submit the information and headshot to be used in the counterfeit when making the purchase.
How to protect your passport
Protecting your passport is difficult because travelers are required to show them on so many occasions while traveling. Passports are required at immigration checkpoints, hotel check-ins, and when applying to jobs and schools abroad. Passports are often scanned and stored on computers that may not be sufficiently secure. Someone with access to those scans might be fencing them on the dark web. It’s easy to imagine a receptionist at a cheap hostel flipping scans of their clientele on the dark web for some pocket cash.
You should do what you can to protect your passport so it’s not abused by criminals. Here are a few tips:
- In many cases, you can provide your own copy of your passport rather than having a stranger scan it. Make black-and-white scans ahead of your trip, because most criminals want color copies.
- Don’t post photos of the inside of your passport on social media.
- Dispose of old passports by destroying them, don’t just throw them away.
- Don’t store your passport in checked luggage on a plane, train, or bus.
- Watch out for pickpockets, and consider an anti-theft bag.
- Don’t leave your passport lying out when you’re not around, such as in a hotel room. Lock it up when possible.
- Don’t store scans of your passport on your device in case it’s stolen or hacked. Encrypt and store the scans on a separate hard drive or in the cloud instead.
- Don’t store your passport with other identifying documents that could be used to steal your identity
Notes and limitations
At times, it’s difficult to distinguish between a listing for a photoshopped scan and a real scan. We tried to only include real scans in the table above.
Passport scans are a lot cheaper if you buy in bulk, but there’s no guarantee those scans haven’t been used before, that the information in them hasn’t expired, or that they aren’t Photoshopped forgeries. Some of the listings look like duplicates from different vendors, suggesting multiple vendors might be selling the same scans. We tried to avoid listing duplicates in the table above.
While it’s always possible that some listings are scams, all of the vendors whose products we included in our analysis had positive buyer feedback.
All of the marketplaces we searched use English as their primary language. Marketplaces in other languages, such as Russian, could well produce different results.
A 2014 study revealed a 15 percent error rate in matching the person to the passport photo they were displaying among passport-issuing immigration officials in Australia.
There’s no shortage of fake ID generator apps on the web that don’t require buying stolen scans off the dark web, but we’re not sure how they compare in terms of quality, customization, and accuracy.
Images redacted by Comparitech. We reached out to some of the supposedly vulnerable companies mentioned in the listings and will update this article if we hear back.