An analysis of one prominent dark web market has revealed a network that has sold over 720 thousand items of personal data for $23.2 million.

A new study by cybersecurity company NordVPN has analysed one of the dark web markets that to this day has illegally sold more than 720 thousand items and data pieces for $17.3 million USD ($23.2 million AUD).

The most expensive merchandise was full identity data sets, which had an average price of $112.5 AUD. This is 8 times more than the two cheapest categories – Australian mobile numbers and emails – which had an average price of $13.4 AUD.

Among the items found were passportspersonal IDsdriving licensesemailpayment card datamobile phone numbersonline accountsbank account logins and crypto accounts, as well as personal data.

“There are over 30K websites on the dark web at the moment. Keep in mind that only 4% of the entire internet belongs to the surface web that is available to any user online.”

“The market that was analysed in our case study was chosen because it was used by some big hacker groups in the past, such as the one involved in AT&T data theft in August of last year,” he said.

The study was conducted in partnership with third-party cybersecurity researchers with an aim to warn users about the possible dangers of illegal activities people take part in on the dark web. 


Average prices of found Australian items and data include:

  • Australian full identity data sets were the most expensive among Australian merchandise found on the analysed dark web market. This kind of set usually includes namesurnameidentification numberaddressbirth date, and other information that help criminals to perform identity theft and other crimes.
  • Australian passports were the fifth cheapest in the world, with an average price of $16.5 AUD. Czech, Slovakian or Lithuanian passports were the costliest (avg. price $5,104 AUD) The price depends on many factors, including how difficult it is to fake a document, how widely it is sold, and how commonly it is bought. 
  • Similarly to other countries, Australian data that could be brute-forced or guessed is sold at much lower prices. Payment card data costs around $20 AUD and mobile phone numbers cost around $13 AUD on average.
  • Another easy way for hackers to steal a user’s data or digital asset is credential stuffing (when the leaked password or email is used to get access to other platforms). That is why online accounts come at a low price as well: a hacked Netflix account can be bought for $13 AUD, an Uber account for $16 AUD, and a Twitter account for as little as $2.7 AUD.
  • Crypto wallets and investment accounts cost more than payment processing accounts and even more than some of the bank accounts. With an average price of $530.55 AUD, the most expensive crypto account data is from Binance, followed by Kraken ($515 AUD) and ($470 AUD). Payment processing accounts (e.g., PayPal) have an average price of $134 AUD. The most expensive merchandise in this category is the CashApp account, costing around $328 AUD.
  • Some criminals also buy emails in batches and use them for phishing attacks or other malicious purposes. Researchers noticed that those emails could be put in three types: personal emails (avg. price for Australian $13.4 AUD), business emails (none Australian found; avg. price overall – $13.4 AUD), and voters’ emails (none Australian found; avg. price overall – $18.8 AUD). 
Australian items: Average price:
Payment card data 20 AUD
Mobile phone 13.4 AUD
Personal emails batch 13.4 AUD
Business emails batch 13.4 AUD
Full personal identity data set 112.5 AUD
Passport 16.5 AUD
Driving License 48 AUD

You can see the full price list of items found on the research page:


“The broad scope of the data offered on these criminal markets shows the importance of taking charge of your security and privacy online. Your cybersecurity is in your hands.

“If you know the risks and equip yourself with the right tools and information, you’ll maximize your chances of keeping yourself and your family secure,” cybersecurity expert Adrianus Warmenhoven tells TOTT News.

He offers some steps as a starting point:

  • Make sites and services earn your trust: Hackers get lots of data by targeting the websites and services you share your data with. You can’t personally secure the servers that store your data, but you can vote with your wallet or feet. Make your data security a priority. If a site or a service asks you for sensitive data, ask tough questions about how the company secures it and what it will do if its data is  breached.
  • Educate yourself: You can do a lot individually to protect your data. This will depend vastly on where you spend your time online, but you can be proactive and research ways to stay safe on the devices and services you use.
  • Stay vigilant: One side of the coin is knowing how to protect your data, and the other is knowing how to react quickly and effectively when your sensitive data is used without your permission. 
  • Monitor your accounts: Request weekly bank statements or activate transaction notifications on your app. Turn on the security settings for all of your accounts so you know when login attempts are made from suspicious devices. Make use of tools offered by the sites or services you use (a password manager NordPass, for example, offers a password strength checker that will tell you if your password is present in any breaches). 

Caution and vigilance can ensure your data is protected online.