The Digital Black Market for Identity Data

  • Richard Marley
  • October 11, 2021
  • 6 minutes read
  • 1113

The collection, purchase, or trade of customer data is big business. Unless organizations and individual entities take necessary precautions, that information may be at risk. Once this data is compromised, there’s a high possibility of losing rights to it forever. By gaining an understanding of how the black market for identity data works and steps businesses can take to reduce the chances, can prevent consumers from becoming a victim. 

Dark Web, Identity Theft, and How Criminals Profit

The cycle that initiates the black market for identity data begins through a ransomware attack, data breach or successful phishing attempt. So far in 2021, the number of data breaches have already surpassed last year’s total. The Identity Theft Research Center reported that 1,291 breaches had occurred till October 2021, compared to a total of 1,108 in 2020. The 17% rise indicates that higher numbers are on the way, making it more necessary than ever to safeguard identity data. 

What makes the situation more alarming is that such attacks are not a secluded phenomenon. Typically, they are executed to gain unauthorized access to Personally Identifiable Information (PII) which can then be sold to sites on the dark web that traffic for identity theft, firearm dealing, illegal software, and more. According to the International Monetary Fund, identities, credit card details and bank credentials are the second-most wanted “product” on the dark web, closely subsequent to contraband and pharmaceutical drugs. 

Listed below are a few price tags attached to data that is commonly sold on the dark web.


Global Overview

Following an in-depth analysis of 50 different dark web marketplaces, cybersecurity researchers came to the following conclusion:


Researchers also noted that the average price of stolen PII was above an average of $20 per document in Colombia, New Zealand, and Mexico. Furthermore, China, Singapore, Turkey, Canada, Israel, and Australia all had averages of either $14 or $15. 

Suggested: Top 10 Cybersecurity Trends for 2021 

Lifelong Consequences

The costs of data breaches do not stop once the relationship has been restored between a customer and a business. Instead, the stolen information lives on forever on the dark web, available to be traded, sold or otherwise exploited. Once identity data has been stolen, it is used for:

  • Forging fake digital identities, leading to synthetic identity fraud
  • Hacking email accounts
  • Rerouting mails to fraudulent addresses
  • Opening credit card accounts under the victim’s name
  • Shopping online under a forged identity
  • Applying for student loans, state benefits, car loans, and mortgages
  • Accessing online bank accounts through fake documents

While the news typically broadcasts how the dark web facilitates drugs, guns, and other illicit activity, the black market for identity details is too big to be overlooked. 

Use Case: Fingerprints for Sale

In 2019, two illegal marketplaces called Richlogs and Genesis were identified for selling “stolen fingerprints” of 60,000 online users, giving the holder complete access to the victim’s online presence or web activity. The PII being sold through Richlogs was providing the buyer all the necessary assets for assuming someone’s identity online — passwords, login credentials, and other cached data,  all of which help to perfectly impersonate someone’s online activity and bypass security checks. The fingerprint details were mainly acquired through malware attacks, which provided Genesis operators with account passwords and full browser history. After purchasing the digital identity for $5 to $200, the identity thief could log into that person’s account to illegally access funds, personal photographs, confidential or proprietary documents, or even submit official documents on their behalf to governmental agencies.

The Easy Way Out

The irony of identity fraud and financial crimes is that a majority of PII losses occur because companies leave the back door open for criminals due to weak internal security measures. While data breach or phishing attacks cannot be completely deflected, companies can catch identity thieves by employing automated identity verification solutions. 

These solutions are powered by AI technology and are put to use during the initial stage of customer onboarding. Once an identity thief attempts to log in to the victims, say, bank account or patient health portal, AI models accurately detect discrepancies in the information to detect fake or forged identities. On top of this, biometric facial recognition technologies can also be employed to enable remote identity verification through face scans. These strategies not only prevent identity fraud during the initial stages of account opening, but also allow companies to comply with mandatory KYC regulations.

Additionally, companies can also protect customer accounts from being hijacked by criminals by doubling up security protection through 2-factor authentication. This way, in case an account has been logged into by a criminal, the 2FA code sent to the victim’s mobile device becomes inaccessible. 

Key Takeaways

As the black market for identity data is booming, customers and companies alike are left with two options: either dismiss the idea of providing identity details online and forgo convenient digital services, or safeguard the data by employing advanced technologies. AI-based IDV solution is one viable option for preventing identity frauds, leading to the ultimate protection of millions of customer data online. Shufti Pro’s IDV solution verifies the identity of customers with an accuracy rate of 98.67% – one of the highest in the IDV market – that too within 30 seconds. 

Need to safeguard your platform from identity fraud? Try our 7-day free trial or talk to our experts right away!