The going rate for a stolen identity is about twenty bucks.
Tens of millions of people have lost their private information in data breaches over the past few years. But what happens after that—how the data are leveraged for financial gain—remains murky. Many of those stolen records end up for sale on the anonymous, seedy area of the internet commonly known as the dark web.
Analyzing the sale of those records sheds some light on the vibrant market for stolen identities. On the dark web’s eBay-like marketplaces, the full set of someone’s personal information—identification number, address, birthdate, etc.—are known as “fullz.” We analyzed listings for individual fullz that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. Our question: How much is a stolen identity worth?
Among tens of thousands of records in the Grams data, we were able to identify more than 600 listings for individual identities—some including credit card information, others without. The listings ranged in price from less than $1 to about $450, converted from bitcoin. The median price for someone’s identity was $21.35.
Though the transactions are usually illegal, marketplaces on the dark web function much like those on the popular internet. Prices for stolen identities vary based on factors like quality, reliability, robustness, and the seller’s reputation.
The most expensive fullz we examined, from a vendor called “OsamaBinFraudin,” was listed at $454.05. The vendor explained in the listing that this was a premium identity with a high credit score:
hello this ad if for usa profiles that have been freshly created and already currently have 720 credit scores or higher with no current bad history and no fraud alert you can use profiles for your own identity to get loans cars housing anything u can use a identity with perfect credit the profile will come with full name addresses associated with profile ssn dob credit karma login to verfiy credit score price is high because these profiles are pre built and already have high credit scores and you can use these identities as your own long as you like
The second most expensive identity, at $248.22, came with an American Express card that the vendor claimed had a $10,000 limit:
Amex CC Account Fullz Balance 10K
Once you place the order you ll have a first hand Account with American Express Full information Account Simple Login Information User ID Password Billing Information Name Surname Address City Zip Code State Phone Number Birth Day Birth Month Birth Year Place of Birth Social Security Number Mother s Maiden Name Mother s Date of Birth Credit Card Information Credit Card Number Exp Date Name On Card CVV2 ATM Pin CSC Pin E mail Information E mail Address Password
Listings on the lower end were typically less glamorous. They included only the basics, like the victim’s name, address, social security number, perhaps a mother’s maiden name. In these listings, vendors did not offer assurances of good credit scores or credit card limits, and in some cases they were selling identities with “dead,” non-working credit cards. This description of a $2 identity, from vendor “mrq1234,” explains that these are valuable for people in-the-know:
Here s the listing for x1 DEAD UK fullz Please be clear on the fact that you will be receiving a dead card In some cases the card maybe live but we will not be checking or guaranteeing this The information provided can be used to take out phones lines of credit etc The people out there who know how to monetize such information will have a field day with this
In general, fullz containing credit scores were listed at higher prices. Fullz with dead cards went for considerably lower amounts.
Marketplaces on the dark web, not unlike eBay, have feedback systems for vendors (“cheap and good A+”), refund policies (usually stating that refunds are not allowed), and even well-labeled sections. There are no special codewords to learn, no back-channels that must be sussed out. On the AlphaBay market, for example, one can just click on the button marked “Fraud,” then into subsections like “Personal Information & Scans” or “CVV & Cards.”
It’s impossible to verify whether listings for identities on the black market, including the ones we analyzed, correspond to real people or are themselves fraudulent. It’s also difficult to determine where the data originated. Some vendors claim their fullz come from specific sources (“Limited supply of these ultra fresh Turbo Tax profile[s]”) or allude to vague ones (“This listing is for hacked UK fullz straight out of a payment processor”), but it’s not uncommon for these kinds of claims to be bogus.
In June, for example, a text file was passed around a black market message board, claiming to hold records from the breach of the US government’s Office of Personnel Management, and the nature of the data seemed to line up with the claim. But reporter Brian Krebs later discovered the records had actually come from a different government agency. Usually, we don’t know where data from large breaches ends up, or where black market identities come from, unless someone is arrested.
One such person, who was arrested in 2012 and sentenced to 13 years in prison earlier this month, procured the identities he sold online in one of the largest data breaches on record. Hieu Minh Ngo, a Vietnamese national, obtained access to 200 million records, complete with social security numbers, from a company called Court Ventures, which is owned by Experian.
Ngo’s case proves that the business of stealing identities in vast numbers and selling them through online marketplaces can indeed be extremely lucrative. He netted more than $1.9 million from selling the records, according to a prosecutor at Ngo’s plea hearing.
Even when marketplaces on the dark web are shut down, others opens in their place. The chart below shows the number of fullz listings each month on the two major marketplaces where identities were bought and sold. Following arrests in Germany in March, the administrators of the Evolution marketplace apparently made off with bitcoin its users had left in escrow, and listings on the newly launched AlphaBay shot up.