A new study by NordVPN analyzed one of the dark web markets that has illegally sold more than 720,000 items and data pieces for a total of $17.3 million. Prices for American items or pieces of data varied from 99 cents to $342. The most expensive merchandise was bank account login data, which had an average price of $90. This is 15 times more than the cheapest category — U.S. payment card data — which had an average price of $6.

Among the items found globally were passports, personal IDs, driving licenses, email, payment card data, mobile phone numbers, online accounts, bank account logins, crypto accounts, and more.

“This one market is just the tip of an iceberg,” said Adrianus Warmenhoven, a cybersecurity expert at NordVPN. “There are over 30,000 websites on the dark web at the moment. Keep in mind that only 4% of the entire internet belongs to the surface web that is available to any user online. The market that was analyzed in our case study was chosen because it was used by some big hacker groups in the past, such as the one involved in AT&T data theft in August of last year.”

The study was conducted in partnership with third-party cybersecurity researchers with an aim to warn users about the possible dangers of illegal activities people take part in on the dark web. 

Some key findings are included below.

  • Data for American bank accounts was the most expensive among American merchandise found on the analyzed dark web market with an average price of $90. The most expensive American bank data was from the U.S. Bank, which can be bought for $342. However, data for European bank accounts costs much more — Dutch ING bank account data costs $3,800, and British Barclays costs $2,900 per account.
  • The most expensive merchandise overall was passports, with an average price of $600 per document. Czech, Slovakian, or Lithuanian passports were the costliest, with an average price of $3,800. An American passport only costs $20. The price depends on many factors, including how difficult it is to fake a document, how widely it is sold, and how commonly it is bought. So other types of documents can cost more: An American ID costs $76 on average, and a driver’s license is only $48. 
  • Similarly to other countries, American data that could be brute-forced or guessed is sold at much lower prices. Payment card data costs around $6 and mobile phone numbers cost around $4.50 on average. Another easy way for hackers to steal a user’s data or digital asset is credential stuffing (when the leaked password or email is used to get access to other platforms). That is why online accounts come at a low price as well — a hacked Netflix account can be bought for $10, an Uber account for $12, and a Twitter account for as little as $2.
  • Crypto wallets and investment accounts cost more than payment processing accounts and even more than American bank accounts. With an average price of $395, the most expensive crypto account data is from Binance, followed by Kraken at $384 and crypto.com at $350. Payment processing accounts, like PayPal, have an average price of $100. The most expensive merchandise in this category is the CashApp account, costing around $244.
  • Some criminals also buy emails in batches and use them for phishing attacks or other malicious purposes, such as influencing important government decisions or election results. U.S. voter emails can be bought by state, where one batch costs around $10. Voter emails from the whole country could be bought for $99.99.
  • The prices for American merchandise for different states vary drastically. A Colorado ID card can cost around $200, while you can buy an ID from Washington for as little as 99 cents.

How to reduce the risk of data being sold 

“The broad scope of the data offered on these criminal markets shows the importance of taking charge of your security and privacy online,” Warmenhoven said. “Your cybersecurity is in your hands. If you know the risks and equip yourself with the right tools and information, you’ll maximize your chances of keeping yourself and your family secure.”

  • Make sites and services earn your trust. Hackers get lots of data by targeting the websites and services you share your data with. You can’t personally secure the servers that store your data, but you can vote with your wallet or feet. Make your data security a priority. If a site or a service asks you for sensitive data, ask tough questions about how the company secures it and what it will do if its data is breached.
  • Educate yourself. You can do a lot individually to protect your data. This will depend vastly on where you spend your time online, but you can be proactive and research ways to stay safe on the devices and services you use.
  • Stay vigilant. One side of the coin is knowing how to protect your data, and the other is knowing how to react quickly and effectively when your sensitive data is used without your permission.
  • Monitor your accounts. Request weekly bank statements or activate transaction notifications on your app. Turn on the security settings for all of your accounts so you know when login attempts are made from suspicious devices. Make use of tools offered by the sites or services you use (for example, a password strength checker that will tell you if your password is present in any breaches).