Your account may be listed for sale on the dark web — revealing the complete chain of data theft

Every time you enter your account credentials on a phishing page, they could be packaged and sold on the dark web for less than a hundred dollars. This is not alarmist; cybercrime has already built a complete industry chain. This article traces the entire process from data collection, circulation, to final utilization, revealing the black market behind dark web data trading.

How Is Data Stolen?

Before a phishing attack truly begins, attackers need to set up a “device” to collect data. Our analysis of real phishing pages shows that cybercriminals mainly use three methods to obtain the information you input on fake websites:

First: Email Forwarding (Being Phased Out)

After victims submit data through a phishing page form, the information is automatically sent via PHP script to an email controlled by the attacker. This is the most traditional method, but it has fatal flaws—email delivery delays, easy interception, and the sender server being easily blacklisted. Therefore, this method is gradually being replaced by more covert techniques.

We previously analyzed a phishing toolkit targeting DHL users. Its scripts automatically forward victims’ email addresses and passwords to specified mailboxes, but due to email limitations, such operations are now obsolete.

Second: Telegram Bots (Increasingly Popular)

Unlike email, attackers embedding an API link with a bot token and chat ID in their code can push data in real-time to a Telegram bot, instantly notifying the operator.

Why is this method more favored? Because Telegram bots are harder to track and ban, and their performance isn’t dependent on the hosting quality of the phishing page. Attackers can even use disposable bots, greatly reducing the risk of being caught.

Third: Automated Management Panels (Most Professional)

More sophisticated criminal groups purchase or rent dedicated phishing frameworks, such as BulletProofLink or Caffeine, commercial platforms that provide a “platform-as-a-service.” These give attackers a web dashboard— all stolen data is aggregated into a unified database.

These management panels typically feature powerful functions: attack success statistics by country and time, automatic validation of stolen data, support for multiple export formats. For organized crime groups, this is a key tool to improve efficiency. Notably, a single phishing campaign often employs multiple collection methods simultaneously.

What Types of Data Are Leaked? Their Values Vary

Not all stolen data have the same value. In the hands of criminals, data are categorized into different levels, corresponding to different prices and uses.

Based on statistical analysis over the past year, we find the distribution of targets in phishing attacks as follows:

• Online account credentials (88.5%): usernames and passwords. This is the most commonly stolen data because even just an email or phone number has value—attackers can use them for account recovery attacks or subsequent phishing.

• Personal identity information (9.5%): name, address, date of birth, etc. Such info is often used in social engineering attacks or combined with other data for targeted scams.

• Bank card information (2%): card number, expiry date, CVV, etc. Although the smallest proportion, it has the highest value and is tightly protected.

The specific value of data also depends on additional account attributes—account age, balance, whether two-factor authentication (2FA) is enabled, linked payment methods, etc. A newly registered account with zero balance and no 2FA is almost worthless, but a ten-year-old account with extensive purchase history and linked real bank cards can be worth hundreds of dollars.

The Business of the Dark Web Market: How Data Goes “From Theft to Sale”

Stolen data’s final destination is the dark web. What happens here? Let’s trace this hidden industry chain:

Step 1: Data Packaging and Bulk Selling

Stolen data are not immediately exploited after collection but are packaged into compressed files—often containing millions of records from various phishing and data breach events. These “data packs” are sold at low prices on dark web forums, sometimes for as little as $50.

Who buys this data? Not necessarily hackers directly conducting scams, but dark web data analysts—middlemen in the supply chain.

Step 2: Classification, Validation, and Archival Building

Dark web data analysts process the purchased data. They categorize it by type (email, phone, bank card, etc.), then run automated scripts to verify—checking if a Facebook password also works to log into Steam or Gmail.

This step is crucial because users tend to reuse or have similar passwords across multiple sites. Old data leaked from a service years ago can still open doors to other accounts today. Verified, still-active accounts fetch higher prices when resold.

Additionally, analysts correlate and integrate data from different attacks. An old social media leak with passwords, a phishing form login credential, a phone number left on a scam site—these seemingly unrelated fragments are assembled into a comprehensive digital profile of a specific user.

Step 3: Professional Sale on Dark Web Markets

Validated and processed data are listed on dark web forums or Telegram channels—these “online shops” display prices, product descriptions, and buyer reviews, similar to regular e-commerce.

Account prices vary widely. A verified social media account might only be worth $1–$5, but a high-balance online banking account with long usage history, linked real bank cards, and 2FA enabled could be worth hundreds of dollars. Price depends on multiple factors: account age, balance, linked payment methods, 2FA status, and platform reputation.

Step 4: Precise Hunting of High-Value Targets

Dark web data are not only used for large-scale general scams but also for targeted “whale phishing” attacks. These are aimed at high-value targets like corporate executives, accountants, or IT administrators.

Imagine this scenario: A company A experiences a data breach, revealing information about a former employee now working as an executive at company B. Attackers use open-source intelligence (OSINT) to confirm the person’s current position and email. Then, they craft a convincing phishing email supposedly from the CEO of company B, even referencing facts from the victim’s previous employer—obtained from dark web data. This significantly lowers the victim’s suspicion, increasing the chance of further intrusion into company B.

Similar attacks are not limited to corporations. Attackers also target individuals with high bank balances or those holding important documents (like loan application files).

The Shocking Truth About Stolen Data

Stolen data are like an indestructible commodity—they are accumulated, integrated, repackaged, and reused repeatedly. Once your data enters the dark web, it could be used months or even years later to launch targeted attacks, extortion, or identity theft.

This is not an exaggeration. It is the reality of today’s cyber environment.

Protective Measures You Should Take Now

If you haven’t yet secured your accounts, start now:

Immediate Actions (to prevent data leaks):

1. Use unique passwords for each account. This is the most basic but effective protection. If one platform leaks, your other accounts remain safe.
2. Enable multi-factor authentication (MFA/2FA). Turn it on wherever supported; it prevents attackers even if they have your password.
3. Regularly check if your data has been leaked. Use services like Have I Been Pwned to see if your email appears in known data breaches.

Remedial steps if you become a victim:

1. If bank card info is leaked, contact your bank immediately to report and freeze the card.
2. Change passwords for compromised accounts and all other services using the same password.
3. Review login history, terminate suspicious sessions.
4. If social media or messaging accounts are compromised, notify friends and family to watch out for fraud messages sent in your name.
5. Be cautious of any unexpected emails, calls, or offers—they may seem legitimate but could be exploiting your leaked dark web data.

The existence of dark web markets has changed the rules of cybercrime. Data are no longer one-time loot but commodities that can be repeatedly exploited. The best way to protect yourself is to act now, not wait until you are attacked and regret it.