Data Breaches Fuel $20.9 Billion Dark Web Economy, Transforming Stolen Information into Lucrative Cybercrime

The theft of sensitive data during high-profile breaches does not simply disappear; it initiates a complex journey through a well-organized criminal economy. Once extracted, stolen data undergoes rigorous testing, packaging, pricing, and listing on dark web marketplaces. These platforms attract a diverse range of buyers, from fraud rings to nation-state actors, who bid for access to the information, which is then utilized to perpetrate various cybercrimes.

The dark web represents an encrypted layer of the internet that is intentionally concealed from casual users. Accessing this hidden realm necessitates the use of anonymizing software, such as Tor, which routes traffic through encrypted relays and resolves .onion addresses that are invisible to standard DNS. The commodities traded on the dark web include credentials, payment card information, personally identifiable information (PII), healthcare records, corporate network access, ransomware-as-a-service kits, and forged documents.

According to the FBI’s Internet Crime Complaint Center, cybercrime losses exceeded $20.9 billion in 2025, marking a 26% increase from the previous year. This alarming statistic underscores the extent to which threat actors are exploiting a dynamic market that transforms stolen data into a reliable source of income, making organized cybercrime increasingly lucrative.

A Professionalized Supply Chain: The Players

The dark web operates with a specialization of roles that resembles a commercial supply chain.

• The Collectors: Phishing crews, infostealer operators, and ransomware groups are responsible for extracting raw data. The “2025 Data Breach Investigations Report” from Verizon revealed that credential theft was involved in 22% of breaches, 20% of exploited vulnerabilities, and 16% of phishing activities. Flashpoint’s “2025 Global threat intelligence Report” identified over 23 million hosts infected with infostealers, resulting in 2.1 billion harvested credentials.

• Initial Access Brokers (IABs): These brokers focus on the intrusion phase rather than executing attacks themselves.

• Marketplace Operators and Aggregators: Platforms such as BreachForums, Russian Market, and various Telegram channels serve as the marketplace layer. Operators charge listing fees while providing escrow systems, reputation scoring, and dispute resolution. These markets often employ commercial-grade controls.

• The Buyers: Fraud rings constitute the largest segment of demand, acquiring PII, complete identity packages (referred to as “fullz”), and card data for account takeovers, synthetic identity fraud, and fraudulent loan applications. Ransomware affiliates purchase IAB listings to proceed directly to encryption and data exfiltration.

Dark Web Prices and Payment

Pricing on dark web markets adheres to a consistent logic based on data freshness, completeness, validity, and country tier. A recent analysis by DeepStrike found that U.S. credit card data with CVV commands prices ranging from $10 to $40, while a card with a verified balance of $5,000 can fetch between $110 and $120. Healthcare records can exceed $500 per record, and unlike cards, they cannot be canceled or rotated. The “2025 IAB Report” from Check Point indicated that most corporate access listings are priced between $500 and $3,000, with domain admin credentials commanding significantly higher prices.

Payments on these platforms are predominantly made using cryptocurrency. Bitcoin is commonly used for ransomware transactions, while Monero is favored for marketplace trades due to its inherent privacy features. Stablecoins, primarily USDT, account for 63% of illicit crypto volume, as reported in Chainalysis’s “2025 Crypto Crime Report.”

Market Scale and the Data Lifecycle

The dark web’s stolen data market operates on a measurable scale. KELA’s “State of Cybercrime 2026” report tracked 2.86 billion compromised credentials circulating across criminal markets in 2025, encompassing infostealer malware, breach databases, and underground marketplaces.

Once extracted, stolen data undergoes four distinct stages:

1. Aggregation: Credentials are tested against live services before being listed, with verified pairs commanding higher prices.

2. Packaging: Data is compiled into combo lists, fullz bundles, or stealer logs, with each folder containing browser passwords, cookies, autofill data, and crypto wallet files.

3. Listing: The packaged data is posted on a marketplace, often within hours of capture.

4. Distribution and Reuse: Buyers purchase the data, monetizing it through fraud, account takeovers, or further intrusions, and frequently reselling the information. Recaptured identity records can circulate in criminal markets for years, leading to ongoing losses for organizations long after the initial breach.

Law Enforcement: Progress and Limits

Prosecution for cybercrime remains an exception rather than the rule. Many operators function from jurisdictions lacking extradition agreements with the U.S. or the EU. For instance, LockBit leader Dmitry Khoroshev remains in Russia despite a $10 million reward from the U.S. State Department. BreachForums has been seized and reconstituted multiple times since 2023, with the latest disruption occurring in October 2025. While each takedown illustrates what is possible, the reconstitutions highlight the challenges faced by law enforcement.

Multi-agency operations have yielded some notable successes:

• Operation Cookie Monster: In April 2023, the FBI led the takedown of Genesis Market, a dark web platform selling browser fingerprints, cookies, and session data from 1.5 million compromised machines, resulting in 119 arrests across 17 countries.

• Operation Cronos: In February 2024, a collaboration between the National Crime Agency, FBI, and Europol led to the shutdown of 34 LockBit servers, freezing 200 cryptocurrency accounts and unmasking Khoroshev.

• Operation RapTor: In 2025, a Europol-coordinated crackdown on vendors across multiple dark web platforms resulted in 270 arrests across 10 countries.

What CISOs Need to Do Now

For Chief Information Security Officers (CISOs), the dark web’s underground economy necessitates a reevaluation of monitoring priorities, risk thresholds, and incident response strategies. Security teams should consider implementing the following measures to mitigate risk:

Use the Dark Web for Risk Intelligence

Credentials often surface in stealer-log datasets days before ransomware attacks are launched. IAB listings target organizations based on revenue and sector, while ransomware leak sites disclose suppliers and customers alongside primary victims. Regular monitoring of dark web intelligence can provide security operations centers with near-real-time insights into criminal activity.

Bolster Risk Management

The dark web economy values data based on its freshness, completeness, and usability. Data that cannot be swiftly converted into access or fraud is less valuable in any marketplace. Three controls can directly reduce this convertibility:

1. Enforce strong authentication across all remote access, cloud admin, and SSO entry points.

2. Rotate credentials promptly upon any match with a stealer-log domain.

3. Apply the principle of least privilege across all accounts.

Incident Response

A breach does not conclude when ransomware is contained or a card number is reissued. Stolen records can circulate and be resold for years, fueling downstream attacks stemming from the original incident. Organizations that consider containment as closure are often mistaken. It is crucial to preserve forensic evidence early, engage law enforcement while the trail is fresh, and share indicators through Information Sharing and Analysis Centers.

Source: www.techtarget.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.