Every breach headline hides a second-act drama that unfolds out of sight. Once hackers extract a trove of corporate records or consumer log-ins, that data rarely sits idle; it flows straight into a shadow economy that has grown as sophisticated as any legitimate e-commerce sector.
Researchers now count about 30,000 active hidden-service sites on the Tor network (The Onion Router, an overlay network for enabling anonymous communication, popular for browsing the Dark Web), a 44% jump in a single year, with an average of 2.5 million daily visitors.
This article peers inside that economy: how dark-web markets function, what kinds of data command the highest prices, and, most importantly, how understanding that supply chain helps defenders predict attacks, focus threat-hunting, and disrupt campaigns before the damage is done.
The dark web’s thriving illicit ecosystem
Technically, the dark web is simply the encrypted slice of the internet reachable with tools such as Tor, but in practice, it operates like an Amazon for criminals. Vendors brand their shops, complete with star ratings and reviews, and settle disputes through escrow. The big difference is that the inventory is stolen credentials rather than sneakers.
It’s estimated that despite takedowns of high-profile marketplaces, these sites still took in just over $2 billion in Bitcoin during 2024. Individual marketplaces can rival midsize enterprises: the now-defunct Agartha alone cleared $91 million in just 35 weeks.
Police successes, like Silk Road (2013), RaidForums (2022), BidenCash (seized June 2025), and Telegram-based Xinbi/Huione Guarantee (shut down May 2025), prove the venues aren’t invulnerable. Yet each bust just spawns replacements, with a ‘long-tail’ of hundreds of small markets ensuring continuity.
Increasingly, criminals skip Tor altogether and hawk loot on Telegram channels that auto-post fresh stealer logs the moment a leak surfaces, giving buyers one-click access to usernames, cookies, and tokens.
The data that sells
Stolen information is prized because it allows cybercriminals to bypass defences rather than breaking through them. Phishing remains involved in 36% of breaches, usually to lift credentials that attackers later resell, and a single browser session cookie can sidestep multi-factor authentication outright, an abuse security analysts dub ‘pass-the-cookie’ or the 2025 ‘Cookie-Bite’ technique.
Different types of data have different levels of popularity and resale value. The average prices are given in US Dollars, but most sales involving stolen data use cryptocurrencies.
- Personal ‘fullz’: These are bundles of name, address, SSN, and date of birth that can trade for between $5 and $100 each on mainstream fraud shops.
- Financial data: Verified credit-card dumps with balances up to $5,000 fetch between $17-120, while cloned cards with PINs hover around $20.
- Medical records: Because they enable insurance fraud and blackmail, individual records can command $1,000.
- Corporate access: Initial Access Brokers (IABs) now auction VPN or RDP footholds for just a few hundred dollars, shifting to ‘low-cost, high-volume’ sales in 2024–25 that feed ransomware affiliates at scale. A full database exfiltration, however, may list privately for $500 to 100,000, depending on the sensitivity of the data.
- Consumer accounts: Even entertainment and social media log-ins hold value: hacked Netflix or Uber credentials sell for about $40, and Facebook accounts for $45.
Behind those price tags lies a caste system. Newcomers post low-risk credential packs; mid-tier actors resell cloud storage or session cookies; advanced crews cherry-pick high-privilege domain admin or OT network access and negotiate directly with ransomware operators for a revenue share.
How criminals source and monetise data
Phishing may open the door, but malware does the heavy lifting: information-stealer families siphon tokens and passwords en masse, then forward them straight into Telegram bots that stream fresh cookies and credentials, many still valid, into reseller channels. Ransomware crews add a second revenue stream by threatening public release, ‘double-extortion’ style.
Meanwhile, IABs industrialise the front end. Research shows brokers advertising compromised endpoints that run nothing more than default Windows Defender, ready for post-exploitation kits.
Crime-as-a-Service (CaaS) offerings have exploded. There are reports of a 44% rise in global attacks linked to Malware-as-a-Service subscriptions (MaaS), and many of the high-profile cyberattacks against major brands this year have been linked to Ransomware-as-a-Service (RaaS) groups.
These services have dramatically lowered the barrier to entry for sophisticated cyberattacks and data theft at scale: you no longer need much technical know-how at all, just a healthy enough crypto wallet to pay.
Fallout for businesses and individuals
The financial toll is steep. The global average cost of a data breach is at $4.88 million, a record high. And smaller companies are just as viable targets. Organisations under 500 staff now face an average $3.31 million hit per incident.
Beyond direct costs, leaked credentials allow adversaries to ‘log in, not break in,’ quietly pivot across networks, plant malware, or exfiltrate IP. Consumers endure fraudulent charges and identity theft at scale.
It’s calculated that over 1.4 billion data records have been breached in 2025 so far.
Empowering cybersecurity teams: anticipate, hunt, disrupt
Given the volume of data in circulation and the increasing volume of attacks, security leaders must assume exposure will happen and act accordingly.
Continuous dark-web monitoring, whether via specialised threat-intel feeds or External Attack Surface Management (EASM) platforms, lets defenders spot stolen credentials in near-real time. When analysts see a company email domain appear on a dark data marketplace, they can force password resets before attackers weaponise the data.
Detection only works alongside layered controls. Multi-factor authentication is still critical, but defenders should bind it to device posture or risk-based scoring to mitigate cookie theft. Encrypt sensitive stores, and apply strict least-privilege access and zero-trust frameworks so that even a valid log-in token reveals little. These should be tested with regular red-team and vulnerability-scan cycles to catch misconfigurations that IABs monetize.
People remain the first line of defence. Generative-AI tooling now lets even novice scammers craft flawless spear-phish or deepfake video calls that persuade employees to wire millions. Embedding real-world phishing simulations and breach-drill exercises into company training and culture is no longer optional.
Finally, disruption matters. Coordinated operations such as the recent seizures of BidenCash and Huione Guarantee show that when law enforcement, blockchain-analysis firms, and infrastructure providers team up, they can take entire market ecosystems offline.
Conclusion
The stolen-data marketplace is resilient, lucrative, and evolving. From Tor storefronts to Telegram bots, from MaaS rentals to AI-driven social engineering, cyber-criminals have built an industrial supply chain that turns every breach into fresh fuel for the next attack.
Yet visibility is power. Understanding how these markets work, tracking what they sell, and reacting fast when proprietary data appears for sale can allow cybersecurity teams can turn the criminals’ own economy against them: shutting doors, revoking tokens, and starving adversaries of profit before exploitation ever begins.
Isla Sibanda is an ethical hacker and cybersecurity specialist based in Pretoria. For over twelve years, she's worked as a cybersecurity analyst and penetration testing specialist for several reputable companies, including Standard Bank Group, CipherWave, and Axxess.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.