The Dark Web: What Is It & How Hackers Sell Your Identity on It for Pennies

Dolores Bernal
Writer
April 16, 2024

In 2015, my co-worker Mike told me about the dark web and the insane things that happened there. 

I couldn’t quite wrap my mind around how there was a place where people could anonymously sell personal information or even hire hitmen online!

Right there, Mike asked for my wife’s name and, within seconds, found her Social Security Number for sale – for $2.50! 

There’s more.

The website he found it on claimed to have over 160 million other SSNs and dates of birth for sale. That was half of the United States population at the time.

Like my wife and millions of other Americans, hackers can sell your personal data for mere change.

Your SSN is one of the most valuable assets to a fraudster. It potentially opens the door to your retirement savings, government benefits, bank accounts, or IRS and credit files.

Think of the damage that can happen if it gets into the wrong hands.

But did you know your SSN goes for less than $3 on the dark web?!

Yes. Your identity. The gateway to possibly everything you have. Sold for peanuts. 

And that’s not all.

Sensitive documents like passports, passwords, credit card details, and banking accounts can also be found on the dark web for pennies.

Now, what is the dark web, and where can you find it? How do you protect your identity from being sold there?

In this guide, I’ll discuss everything you should know about the dark web and how to protect yourself.

What is the Dark Web, and How Does it Work?

iceberg in an ocean

The world wide web has three layers – the surface web, the deep web, and the dark web. 

Let’s use an iceberg in an ocean as an example. 

The tip of the iceberg which protrudes is the surface web.

It’s what you see and interact with daily when you use Google, Yahoo!, Bing, CNN, and millions of public websites. 

You’re using it right now as you read this article.

Most of us spend time on the surface web, which is friendly (kind of).

But there’s more beneath the ocean where the sunlight fades away slightly.

The Deep Web

The mid-part is called the deep web or hidden web. It is larger than the surface web but can only be accessed by people with access to the data there.

You use the deep web almost daily when logging into your email account, checking medical records, or your online banking information. 

That’s because the deep web contains databases, government records, scientific data, academic information, legal documents, financial and medical information, etc.

The NASA, National Oceanic and Atmospheric Administration, US Patent Office, and private databases like LexisNexis and Westlaw are some of the largest sites listed here. 

These pages can’t be found using traditional search engines because they aren’t indexed like webpages on the surface web. 

You need to know where you’re going and have a valid account/password to enter. 

The Dark Web

Just like the ocean analogy, there are places where the sunlight completely fades away. 

The dark web. 

This is the underbelly of the internet. 

It contains encrypted online content that traditional search engines like Google and Bing don’t index. 

You can only access the dark web with specific browsers like TOR (The Onion Router).

Ironically, the US Navy created TOR software in the 1990s to enable anonymous communication between intelligence agents working abroad and their American colleagues. It was made available to the public for free in 2003. 

Using the dark web comes with a great deal of anonymity and privacy compared to conventional websites.

On the good side, the dark web protects people who conduct dangerous, but not necessarily illegal work. 

For example, intelligence and law enforcement agencies, whistle-blowers, journalists trying to protect their sources, activists performing political protests, etc. 

On the other hand, some people have found a way to use this protection to conduct illegal activities. 

In this case, you can think of the dark web as the black market of the internet.

This is a hidden part of the internet where many things people want to keep in the shadows happen. 

Things like drug and human trafficking, hiring hitmen, counterfeits and contraband, fraud, and stolen identities or items.

Criminals use the dark web because they can buy and sell illegal goods with complete anonymity. TOR hides users’ IP addresses, and to prevent tracking, transactions are typically made using a cryptocurrency like Bitcoin.

✎ Related: What Can I Do If My Data Ends Up On The Dark Web? ➔

Famous Stolen Identity Cases on the Dark Web

The Silk Road was the first marketplace on the dark web involving the anonymous buying and selling of illegal goods and services. It accepted Bitcoin for transactions, adding to the anonymity.

It was founded in 2011 by Ross Ulbricht, who ran it until the FBI closed it down in 2013. Ulbricht was eventually sentenced to life in prison.

Another example is AlphaBay, which the FBI also took down in July 2017. 

According to the FBI, at the time when the site was shut down, AlphaBay had 28,800 stolen credit card numbers, 4,488 stolen personal IDs, and 3,586 hacking tools.

In 2021, Europol took down DarkMarket, the world’s largest illicit dark web marketplace. DarkMarket had nearly 500,000 users, over 2,400 sellers, and more than 320,000 transactions had been conducted on the platform.

Unfortunately, there are many more sites like AlphaBay and DarkMarket still operating. And like the thousands of past victims, your identity, SSN, and credit card number can also be stolen and sold on the dark net.

✎ Related: Famous Identity Theft Cases That Rocked The Nation

How Much Does Your Identity Cost On The Dark Web?

Have you ever heard the term “fullz”? 

Possibly not.

It’s a fraudster slang that means a complete package consisting of everything you need to commit identity theft. We’re talking about Social Security numbers, addresses, phone numbers, date of birth, mother’s maiden name, driver’s license number, etc.

Basically, it is complete information on a prospective fraud victim. 

You’d think this would be expensive. But a fullz sells for between $20 and $130 depending on the potential victim’s age, credit score, and the scope of information provided.

Below, you’ll find the personally identifiable information (PII) you’ll find on the dark web and how much each cost. These prices are according to the 2022 dark web price index and other sources.

Prices have fallen by more than 50% on the dark web, indicating that more sensitive documents are available for sale. Given the high rate of data breaches and identity theft, there’s a huge supply of stolen identities on the dark net.

1. Your Email and Social Media Account

Email addresses and social media accounts are hot commodities on the dark web.

Most of us use one email address to open multiple accounts, including online banking. It’s also possible to open certain accounts with Facebook. 

This means fraudsters can use this information to access a range of accounts they’re associated with.

On average, ten million USA email addresses cost about $120 on the dark web, while 2.4 million Canadian emails cost around $100. 

But how do hackers know the password?

They could cross-reference the account information in leaked databases, use social engineering tactics like phishing to get the password, or use brute-force attacks.

Already-hacked Facebook and Instagram accounts sell for about $45 on the dark web.

2. Driver’s License and Similar IDs

Your driver’s license and other similar government identifications are your gateways to various services. In the United States, these IDs are often linked to your SSN. 

However, the extent to which your ID is connected to other sensitive personal accounts and information will determine how far a fraudster can go using your identity. And this also affects the price. 

An ID scan or digital copy of your DL depends on how much info is attached to it. You can sign up for services like insurance and car rentals with driver’s licenses, and these connections can be used for fraud.

Prices also vary depending on the location. 

For example, a Minnesota driver’s license costs around $150, while an Alberta CA driver’s license sells for $165.

3. Selfie With ID

A government-issued ID shouldn’t get into the wrong hands. But adding a selfie makes things worse.

Many services, especially financial companies, use a Know-Your-Customer (KYC) program to verify users. KYC requires you to take a selfie alongside an ID to confirm your identity.

Although KYC is excellent for security reasons, hackers can use it for different reasons, like obtaining insurance and microloans or even laundering millions of dollars, especially in cryptocurrency. 

Your selfie showing you holding an ID goes for around $120 on the dark web.

4. Passport

How many times have you sent scans of your passport? You probably don’t notice you do it often. 

Besides your driver’s license, your passport is the most common form of identification used to obtain government aid or services.

But when you send a passport copy on the web, hackers can intercept and sell it on the dark web. 

Your passport is more expensive than other identifications. The price varies depending on the country and how complete it is. A full passport copy will sell for more than just the bio page. 

5. Credit Card and Online Banking Information

Financial accounts are among the most popular commodities on the dark web.

The price of your credit card depends on how much you have.

If you have up to $5,000 on your credit card, it’ll be sold for just around $120 on the dark web. 

This goes down to $80 if your account balance is up to $1,000.

Prices also depend on the amount of information provided.

For instance, the price decreases if a CVV is missing because the card is less useable.

You’ll also find cloned credit and debit cards on the dark web. These counterfeit copies of real cards can be used to make purchases using someone else’s money.

If there’s a pin, then this can be especially valuable.

Lastly, if a hacker steals your online banking information, they could sell the details for around $65 per account.

6. Password for Online Subscriptions

I can’t count how many shopping, streaming, and recreational services my wife and I are subscribed to.

And you could probably count five of these services right now.

Accessing online content, including books, movies, television shows, podcasts, and other media, is becoming more and more common thanks to subscription-based entertainment. 

While losing access to one of these accounts can be frustrating, it can become even more problematic if your login information is sold on the dark web in exchange for cheaper access to premium content.

Unfortunately, password databases are frequently involved in data leaks. Although most databases have become outdated, many people use the same passwords for multiple accounts. This means a data breach from five years ago can be used to defraud you if you reuse the same password.

A Netflix account with a one-year subscription costs $25. An Uber account sells for $15, while a driver account costs $35.

Other subscriptions like HBO, NBA League Pass, adult site accounts, CNBC Pro, Kaspersky, Hulu, and sports betting are available at ridiculously low prices.

Someone somewhere could be using your account. But even worse, they could access your payment details via your account and commit a bigger fraud.

7. Medical Records

Most people don’t know their medical records are sensitive and should be kept away from prying eyes.

This scam is popular among the elderly, but it can almost certainly happen to anybody, especially if you have a medical history, ailment, or underlying disease.

Cybercriminals buy medical records on the dark web because it helps them file false health insurance, access prescription drugs, or compose spear phishing emails.

They can impersonate Medicare representatives and email you all the details they have of you. Many people fall for this medical scam because it looks real. 

Recent reports show that healthcare had the highest cost per stolen data in data breaches worldwide, with $429.

If you fall victim to medical identity theft, you’ll get billed for treatments the thief receives. You may experience delays getting medical care and even lose access to all your health benefits.

Unfortunately, you may also face criminal charges.

A 68-year-old doctor was wrongfully convicted in 2018 for participating in a Medicare fraud in Louisiana. He spent months in federal prison before the conviction was overturned. 

8. Cryptocurrency Exchange Account

If you have a cryptocurrency account, it could also be sold on the dark web. The price could be huge, especially if your account stores a lot of cryptos. As a result, cryptocurrency exchange accounts are one of the most expensive data for sale on the dark web.

Hacked crypto accounts can go for $250 on the dark web.

9. Malware

Malware is another more expensive item available on the dark web. Cybercriminals use malware, a type of software, to break into computers and access vast amounts of private data that can then be exploited. 

Of course, a local tech store won’t sell malware. 

To do this, you must turn to more illegal sources, and the dark web is an excellent choice because it provides services like Malware-as-a-Service.

Cyber-criminals can use malware in many ways:

  • Infect your device with malicious software to harvest additional data that complement what they already have. 
  • They might also use malware to blackmail and extort money from you.
  • Disrupt a company or service you use so its value depreciates. They can steal your confidential data or the company’s intellectual property and sell it to competitors.

The average price of malware on the dark web is around $1263. Prices can go as high as $5,500 depending on the quality and success rate of the malware and the location.

Other services on sale on the dark web that can be used to steal your identity include Distributed denial of service (DDoS) attacks, money laundering schemes, and cybercriminal tutorials.  

The Dangers of Having Your Identity Stolen and How it Can Be Sold on the Dark Web

A data breach is the most popular way hackers can steal your identity to sell on the dark web.

Hackers access thousands of personal information after a data breach. So, if a cybercriminal accesses enough data, they can make thousands or millions by selling on the dark web. 

In Q4 2022 alone, data breaches exposed the personally identifiable information (PII) of over 22 million Americans, including SSNs, passports, and driver’s licenses. 

But why do people buy personal data and the dangers of having your identity stolen?

It’s valuable. 

There’s almost no limit to what someone can do with your personal information. 

They can impersonate you and commit crimes that will take years for you to prove your innocence. 

You could be wrongfully prosecuted for criminal charges. And with every piece of evidence pointing to your personal information being used to commit the crime, there’s not much you might be able to do.

Fraudsters can also take out loans with your identity leaving you with an impossible debt to pay back.

They can also make purchases with your money or use your medical records to file false health insurance claims and gain access to prescription drugs. 

People can also buy your personal data, like the password for online subscriptions, to use streaming accounts for entertainment.

In addition, scammers can change your address and receive sensitive mail, especially from the IRS. This can be used to understand your tax situation and file returns.

Unfortunately, fraudsters with your info might also access your children’s data as well. They can create new credit files and ruin your kids’ chances of applying for government benefits like student loans or employment benefits in the future.

And you may never know about this debt until it’s too late.

For example, Michelle Thibodeau took her 16-year-old son, John, to get his learner’s permit in 2003. Surprisingly, they learned he already had a driver’s license. 

But that wasn’t all. John also received a notice from the Department of Revenue telling him he owed child support payments.

The story got worse when John became a grocery store bagger, and the DOR seized a chunk of his paycheck. When Thibodeau called the agency, she discovered part of her son’s tax return was also taken.

It turned out Thibodeau’s ex-husband, James Johnson, was the culprit. James had been incarcerated since 1995 and had been using John’s identity even before he was jailed. 

Johnson eventually escaped Massachusetts’ six-year statute of limitations placed on identity theft, so he couldn’t be charged.

Not only did Johnson plunge the innocent boy and his mother into debt, but he also got away with it because it took years before the victim and his mom found out.

This is the story of over 1 million yearly child identity theft events.

How to Safely Check Your Identity on the Dark Web?

I wouldn’t check my identity on the dark web. This is a shady digital location, and you can easily expose yourself.

In 2015, a Redditor shared a deep web story of how they were browsing and all of a sudden received a message, “We see you.” They never knew who sent the message and how it was sent.

There are many other creepy stories from browsing the dark web.

Going on the dark web might also cause your device to be infected with malware and ransomware attacks unless you have a secure cybersecurity setup. You might also get caught in a scam or even become an unwitting criminal accomplice.

The dark web isn’t illegal, nor is it unlawful to access it. Only the activities conducted there could be illegal.

If you choose to check if your identity is for sale on the dark net, you’ll need to protect yourself with a secure VPN for TOR. This increases anonymity and adds extra security.

You’ll also need to download TOR via your browser’s private/incognito mode. Log in and use special dark web links to locate the right marketplaces that may host your PII.

The TOR browser is only available for Mac, Windows, Android, and Linux. Once connected, you’ll be able to access dark net websites known as “Tor hidden services.” 

Dar web addresses end with “.onion” instead of the usual “.com” or “.org” on the surface web.

Using a strong VPN for ToR will mask your IP address. But there are safer ways to check if your identity has been stolen and is up for sale on the dark web.

Rather than exposing yourself, I recommend subscribing to a trawling service from Equifax or Experian. 

These companies can help you check dark web marketplaces to find your information. It is safer and done by professionals who will know where to look.

What Can You Do to Protect Yourself From Having Your Identity Stolen On The Dark Web?

You shouldn’t have to check if your identity has been compromised before protecting yourself. Millions of personal data are exposed each year, and chances are that your information is probably already on the dark web.

Here are tips to protect yourself:

1. Use Strong and Different Passwords

You’re the first line of defense against attacks and identity theft. 

As such, it’s important to protect your accounts with strong passwords. Generic passwords like your date of birth, child’s name, marriage anniversary, pet’s name, etc., are easy to crack.

You should also use different passwords for different accounts. Ensure that each password is at least 15 characters with a combination of letters, numbers, and special symbols. 

The longer and more varied your password is, the more difficult it is for hackers to crack.

I use a password manager to help me generate strong and unique passwords. The password manager saves the passwords, so I don’t have to remember them all.

You should change passwords after a cyber-attack.

But DON’T WAIT FOR A DATA BREACH before changing your passwords.

As a rule of thumb, I change all passwords every three months.

Some of the best password managers are Zoho Vault, 1Password, RoboForm, and Bitwarden.

Lastly, make sure you delete accounts you no longer use. Hackers might compromise old accounts, which can be dangerous if you reuse passwords across multiple accounts.

2. Enable 2-Factor Authentication

2FA adds an extra layer of security to your accounts. 

This means if hackers get your login details, they still can’t access your account with the passwords alone.

2FA requires a password plus something you can access, such as an authentication code or a text message sent to your phone.

Due to the emergence of SIM swapping scams, I recommend you use an authenticator app since it’s safer. 

I use Google Authenticator, but Authy, LastPass, and Microsoft Authenticator are good alternatives.

3. Don’t Use Public Wi-Fi

Public Wi-Fi is usually free, making it enticing for many people.

But 25% of the world’s Wi-Fi networks don’t have any encryption or password protection. 

This means if you log into your online banking profile, email, social media, or any other account while on public Wi-Fi, the information is completely open and accessible by third parties.

Since you never know which Wi-Fi is protected or not, it’s best to avoid using public Wi-Fi.

If you must, I suggest you use a VPN like NordVPN, CyberGhost, and NortonVPN. You should also enable antivirus software like Kaspersky, McAfee, and Bitdefender. 

I use VPN and antivirus regardless of whether I’m on public Wi-Fi or not. 

4. Freeze Your Credit

Ensure you place a security freeze on your credit accounts with the three bureaus, Equifax, Experian, and TransUnion. This stops ID fraudsters from opening new account lines in your name. 

You typically only need to contact one credit bureau, and they’ll notify the others.

Freezing your credit is free and can be deactivated whenever you want to use the card.

5. Monitor Financial Accounts

Most fraudsters will make small purchases with your money to see if you notice before making a bigger one. 

Ensure you monitor every financial account, including bank accounts, credit cards, and 401(k)s. Check bank statements and obtain free credit reports from the three main credit bureaus or AnnualCreditReport.com. 

If you notice unauthorized activity, an unexpected drop in your credit score, or unexplained missing funds, place a fraud alert on your account. 

Contact the Federal Trade Commission to report identity theft.

6. Use Safe ATM Practices

Your local ATM could be used to access your personal data. Here are some best practices to protect yourself whenever you’re at the ATM:

Check for ATM Skimmers: A skimmer is a device placed over an ATM. It’s usually a replica of the card reader, but they send your card information to a hacker instead. Here’s how to check for ATM skimmers:

  • Press around the sides of the ATM’s car slots to find loose ends. Skimmers are often mounted delicately, so they’ll likely move when you apply light pressure.
  • Check for tape or glue around the ATM edges. If you find any adhesives on the ATM, alert the bank immediately.
  • If you’re struggling to insert your card into the ATM, don’t force the situation. Report to the bank.

Check for Fake Keypads: Scammers can place fake keypads over legitimate ATM keypads to record your PIN. Like skimmers, they’re sometimes loosely mounted. They may creak or jiggle around while punching the PIN. The keypads may also look off-center. It’s important to take note of these signs and contact the bank immediately.

7. Protect Personal Information and Safely Store Sensitive Documents

You must protect any personally identifiable information from getting into the wrong hands. Ensure you don’t give sensitive information to people on social media.

Personal data like your date of birth, mother’s maiden name, home or office address, age, and so on should be kept secret.

Sensitive documents and government-issued IDs like passports and SSNs should be stored in safe places and not carried around. In most cases, your driver’s license is enough identification to carry with you.

If you must reveal your PII or SSN to companies or services, ask how it will be used and who can access it. 

8. Subscribe to an Identity Protection Service

Subscribe to ID protection services like Aura, Identity Guard, Identity Force, Privacy Guard, and IDShield can help protect your personal data from being stolen and sold on the dark web. Many of these services also offer dark web monitoring.

✔ Act Now: Get Fortified Against Dark Web Threats! Enjoy Off + 14 Day FREE Trial with Aura Identity Theft Protection, the No.1 Service!


They will notify you once your identity is used or listed for sale, helping you take steps to protect yourself immediately.

The Experian IdentityWorks Premium service is also an excellent choice that provides advanced identity theft monitoring. 

Experian IdentityWorks and the Aura Dark Web Scanner can help you perform monthly privacy scans to see if your sensitive information has been exposed.

These services assess your risk of identity theft, credit theft, home title or deed fraud, account hijacking, robocalls, and how likely data brokers are to sell your personal information.

Some ID protection services also come with an insurance policy of up to $1,000,000 in case of losses from identity theft.

Conclusion

Stolen identities are regularly sold on the dark web because they are a valuable and long-term investment to a fraudster. Most people find out too late that they’re fraud victims and are plunged into debt. 

Fraud committed after 2 to 6 years of a data breach increased by 400% over four years. Don’t wait for a data breach to implement security best practices. 

Use strong and secure passwords, enable multi-factor authentication, use reliable antivirus software, freeze your credit, and monitor financial statements regularly. 

You should also keep sensitive documents in a safe where no one but you can access them. And don’t forget to subscribe to identity theft protection services.

If you suspect unusual activity, report it to the relevant authorities like the FTC, local police, and credit bureaus immediately.