The dark web continues to be a hub for illegal activities, including the sale of stolen personal data. Recent research by NordVPN , through their Dark Web Case Study , reveals a staggering $17.3 million in income from the sale of stolen data over a span of just a few years, with over 720,000 sales recorded.
This surge in dark web sales is part of a growing trend of data breaches, with high-profile hacks exposing personal information. In 2023 , for example, the T-Mobile breach compromised the personal data of over 37 million people , including sensitive information like social security numbers and driver’s licence details. Similarly, in 2020, Zoom saw a massive data leak, with over 500,000 accounts exposed, including emails and passwords. These breaches highlight the increasing frequency with which personal data is targeted by hackers, and the alarming amount of stolen information being sold on the dark web.
In this article, we’ll explore the findings of the NordVPN study, examine what types of data are being sold on the dark web, how much it costs, and what measures we can take to protect ourselves from falling victim to these scams.
The Dark Web’s Growing Market for Stolen Data
According to NordVPN’s report, the dark web market consists of more than 22,000 listings for stolen data, with over 720,000 sales conducted, amounting to $17.3 million in sales. The most frequently traded items in this illegal marketplace include payment card data, identity information (like passports and driving licences), online accounts, and email addresses. This data is used by cybercriminals to commit fraud, identity theft, and other illicit activities, often at the expense of innocent victims.“ The dark web isn’t an abstract threat. It’s an active hub where stolen personal data is bought and sold daily.
"Cybercriminals don’t just exploit weak passwords; they exploit systemic flaws, automate attacks, and adapt their methods to bypass security measures. The scale of these transactions highlights the need for stronger security at both individual and corporate levels.”, remarked Vakaris Noreika, Head of Product at NordStellar
Most Commonly Sold Data on the Dark Web
Payment Card Data: Payment card information is among the most sought-after items on the dark web. Hackers can use stolen credit or debit card data to make fraudulent transactions or sell it to others for quick profit. With the help of brute force techniques, attackers can easily guess or steal this data in minutes, making it a frequent target for cybercriminals.
Personal Identification Documents: Passports, driving licences, and identity cards are highly valued because they allow scammers to impersonate individuals. These documents can be sold for hundreds of dollars, depending on the country of origin. For example, passports from countries like the Czech Republic , Lithuania , and Slovakia are sold for around $3,800 each, while passports from other countries like Argentina can cost as little as $8.95 .
Email Addresses and Accounts: Email addresses are often sold in bulk on the dark web, with prices depending on the type of email. Personal email addresses can go for as low as $9 , while business emails and voter emails, particularly from the EU , cost more. These stolen emails are typically used in spam campaigns or phishing attacks.
Social Media and Online Accounts: Accounts on platforms like Netflix , Uber , and other subscription-based services are bought and sold at low prices. These types of online accounts can cost just a few dollars. However, more valuable accounts, such as Binance and Kraken crypto exchange accounts, can sell for hundreds of dollars, showing that cybercriminals are increasingly targeting financial platforms.
Full Personal Identity Data Sets: Full sets of personal information, such as names , addresses , dates of birth , social security numbers , and payment card data , are extremely valuable. These data sets allow criminals to impersonate victims and commit fraud on a large scale. Full personal identity data sets are sold for between $16 and $228 , depending on the region.
How to Protect Yourself from Dark Web Threats
With the dark web serving as a marketplace for personal data, it's crucial to take steps to protect your information from falling into the wrong hands. Here are some essential practices to safeguard yourself from becoming a victim:
Use Strong and Unique Passwords: Avoid using simple or reused passwords across multiple accounts. Strong passwords should be long and contain a mix of characters. Use password managers to store and generate secure passwords for your online accounts.
Monitor Your Accounts: Stay vigilant by regularly monitoring your financial statements, social media accounts, and other personal information for any signs of unusual activity. Set up alerts for transactions and logins to stay on top of your security.
Enable Multi-Factor Authentication (MFA): Where possible, enable MFA on your accounts. This provides an extra layer of security, ensuring that even if your login credentials are compromised, it will be harder for criminals to gain access.
Avoid Oversharing Personal Information Online: Be mindful of the personal information you share on social media platforms. Scammers often use publicly available information to piece together personal details to conduct phishing attacks.
Keep Your Software Updated: Regular updates for your operating systems, browsers, and applications often include important security patches. Ensure your devices are up-to-date to protect them from the latest threats.
Use a Dark Web Monitor: Dark web monitoring tools alert you if your personal data is found on dark web marketplaces.
While personal security practices are essential, it's also important to recognise that no measure can completely safeguard you from the threat of data breaches that occur at the corporate level. Hackers often target large organisations to access sensitive personal data. To further protect yourself, it’s important to stay informed about breaches and take action, such as freezing your credit or using identity theft protection services, to minimise the potential damage if your data is compromised.
Conclusion
The sale of stolen personal data on the dark web represents a growing and highly profitable threat to organisations across industries. With cybercriminals generating millions of dollars by exploiting sensitive information, it is imperative for businesses to prioritise robust data security measures. Companies must not only invest in safeguarding their internal systems but also ensure comprehensive monitoring of data breaches and emerging threats. By adopting best practices for cyber hygiene, implementing multi-factor authentication, and staying informed about the latest security protocols, organisations can mitigate the risk of data compromise.
Furthermore, businesses should proactively engage in monitoring the dark web for exposed data and leverage tools that help track the misuse of company data. Ensuring compliance with data protection regulations, along with offering identity theft protection services for employees and clients, will further reduce the potential fallout from cyberattacks. With an increasing reliance on digital infrastructure, a strategic, multi-layered approach to data security is essential to safeguard an organisation’s reputation and mitigate financial and legal risks associated with data theft.
About the Author
James Greening , operating under a pseudonym, brings a wealth of experience to his role. Formerly the sole driving force behind Fake Website Buster, James leverages his expertise to raise awareness about online scams. He currently serves as a Content Marketing & Design Specialist for the Global Anti-Scam Alliance (GASA).
James’s mission aligns with GASA’s mission to protect consumers worldwide from scams. He is committed to empowering professionals with the insights and tools necessary to detect and mitigate online scams, ensuring the security and integrity of their operations and digital ecosystems.
Global Anti-Scam Alliance Launches Scam.org with OpenAI and Key Partners
The Global Anti-Scam Alliance (GASA) launched today Scam.org, an AI-powered platform that provides scam education, prevention, detection, reporting, and victim support.
La Industrialización del Engaño: Por qué 2026 será el año en que las estafas cibernéticas cambien para siempre
El auge de la inteligencia artificial está eliminando las señales tradicionales de alerta y transformando las estafas en un sistema industrial a gran escala.
The Industrialization of Deception: Why 2026 Will Be the Year Cyber Scams Change Forever
The rise of artificial intelligence is eliminating traditional warning signs and transforming scams into a large-scale industrial system.
What to Expect From Scams in 2026 in the Age of AI
Experts discuss how AI is changing scam tactics and what to expect in 2026, in this webinar hosted by GASA Brazil.
Global Anti-Scam Alliance Policy Agenda 2026
The Global Anti-Scam Alliance outlines its 2026 policy agenda, setting priorities across consumer education, intelligence sharing, prevention, enforcement, research and financial disruption.
GASA Mexico Convenes First National Roundtable and Signs MOU With Cybersecurity Directorate, Setting Ambitious Agenda for Cross-Sector Collaboration to Fight Digital Scams & Fraud
GASA Mexico convened its first national roundtable and signed an MOU with Mexico’s Government Cybersecurity Directorate to strengthen coordinated action against scams and digital fraud.
GASA Launches Africa Chapter to Strengthen Regional Scam Prevention
GASA is launching its Africa Chapter, creating a dedicated platform for public and private sector collaboration across the continent.
Guard Your Heart: A GASA Valentine’s Special on Romance Scams
Experts examine romance scam tactics, disruption strategies, and victim recovery across Asia-Pacific.