This Is What Your Identity Sells For On The Dark Web

Tyler Durden's picture

Millions of Americans who trusted Equifax with sensitive personal and financial data, including social security numbers and credit-card information, are now nervously wondering whether they will be among the unlucky minority of affected customers whose identities are successfully “repurposed” by online criminal groups.

One researcher from security firm SecureWorks shared some details about today’s burgeoning marketplace for stolen data with Bloomberg, and the conclusion is clear: It is now easier – and cheaper – for criminals to access and abuse illicit data than ever before. In fact, a high-limit American express card with a high chance of working can be purchased online for less than $20. Criminals can buy files with thousands of low-limit card numbers for pennies on the dollar.

According to Bloomberg, “verified” high-limit credit cards from developed countries like the US, Japan, and South Korea are selling on the dark web for the bitcoin equivalent of about $10 to $20.

“Verified” means the seller has tested out transactions on the card and found it hasn’t been canceled yet. For scammers on a budget, there’s unverified stolen credit card data, which comes out to pennies a card when bought in bulk.

Here’s a screengrab from one dark-web marketplace.

Luckily for criminals, cards generally aren’t selling any cheaper on the dark web these days, said Alex Tilley, a researcher at Secureworks. Today’s buyers are more likely to get higher-quality cards, ones with sizable limits that can be used fraudulently with ease. It isn’t as hit-or-miss as it used to be, a welcome change for criminals, chilling news for most of us.

Criminals have even set up sophisticated “rating systems” to help value the data. Business cards are preferred, Tilley said, because they don’t have a limit. Those and high-end personal cards—say, a Platinum American Express that has been verified and has an 85 percent rating (judged by the seller to have an 85 percent chance of being successfully used in a fraud)—will go for $15 to $20. A regular Mastercard that doesn’t have a high limit might go for $9.

One underground hacker market inexplicably called Trump’s Dumps is selling full identities of individuals just like you for as little as $10 apiece. They’re called fullz, “dossiers that provide enough financial, geographic and biographical information on a victim to facilitate identity theft or other impersonation-based fraud.” Fullz can help a criminal get past those irritating “secret questions” that sites ask to verify your identity.

Recently, Secureworks’ researchers have seen more offers of bulk pre-verified card details, along with more identifying information about the owners. In some cases, offers even include the cardholder’s mother’s maiden name. Still, they cost just $10 to $12. Below is a fullz offer with a lot of personal identification on a Korean consumer.

In a massive breach like Equifax, hackers can easily walk away with hundreds of millions of dollars in profits from selling the data. Meanwhile, the identity thieves who purchased it can reap their own fortune running their scams.

Congress, the FTC and Equifax customers – enraged by both the company’s reluctance to initially disclose the breach and its carelessness (some would say tight-fistedness) concerning its cybersecurity defenses – have buried the company in lawsuits and official inquiries.

As USA Today revealed yesterday, hackers took advantage of an Equifax security vulnerability two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn't update its software successfully when the danger became known.

We’re looking forward to hearing the whole story from CEO Rick Smith when he testifies before Congress early next month. Whether Smith manages to hang on to his job remains to be seen - calls for his resignation after a 12-year-long scandal-free tenure are mounting. CNBC's Jim Cramer said last night that Smith "should be fired today."

But perhaps more worrying for Smith and his C-Suite companions are calls from North Dakota Sen. Heidi Heitkamp, who has demanded a criminal investigation into whether the company's executives - several of whom sold stock during the period between when the company first learned about the hack and when it disclosed it to the public - commited securities fraud.

"If that happened, then somebody needs to go to jail," she said.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
sunkeye's picture

Jokes on them all my cards already maxed out.

Lurk Skywatcher's picture

Banning cash will stop all of this illegal behaviour.

Naruhodo's picture

By making criminal behavior legal?

RAT005's picture

Sunkeye, your existing cards aren't the target of the Equifax scandal.  It's opening new lines of credit in your name.

BaBaBouy's picture

""According to Bloomberg, “verified” high-limit credit cards from developed countries like the US, Japan, and South Korea are selling on the dark web for the bitcoin equivalent of about $10 to $20.""

I Fucking Knew It... Bitcoinz Again; The High-Choice Currency of Criminals...

King of Ruperts Land's picture

They should ban those Bitcoins like they banned those chests of gold and silver the pirates of old used.

Troll Magnet's picture

I'd like to know who at Equifax owns stock in LifeLock.

Conservative Calitopian's picture

Exactly. I set up a credit freeze with Equifax and the other 2 credit bureaus about 5 years ago so they have ALL my info. I unlocked it a few years ago but I'm going to lock it up again now. I wonder if Equifax's website is even functioning though to do the change. And even though I'm fighting with Chase Bank and now have a low credit score, my relationship with Citibank is excellent and I need them for my business. So I don't want criminals opening new lines of credit obviously and making life anymore difficult than it already is. Thanks Equifax! Jerks!

boattrash's picture

I hope some of these motherfuckers buy my IRS account!

DanDaley's picture

Yes, public hangings are in order.

s2man's picture

RAT,  did you read the article?  They are selling existing,  verified credit cards.


Identity theft was mentioned briefly,  and that is where getting a new card in your name would come into play. 

HRClinton's picture

Ban Credit Cards.

Problem solved.

SixIsNinE's picture

no kidding Lurk !  and did you see today's important notes about the plastic bucket bomb yesterday!

outrageous!   with cash still available to buy buckets & stuff, there is NO way to catch teh Trerrrrstss!!

we've got to get rid of this outlandishly outdated relic, CASH!

until then, get used to it, BiaTTCheZZZZ



The_Juggernaut's picture

All victims of identity theft should be able to recover all damages from Equifax.

Naruhodo's picture

Yup they're going to refund their victims by compensating them with gift vouchers and food stamps.

Creepy_Azz_Crackaah's picture

It will be one year of free credit "monitoring."

Flamin Rhoid's picture

Terms and services agreement states that you forgo all class action lawsuites.

swmnguy's picture

I believe they've changed that language (very recently).  But yes, that was the gist.

Nobody ever asked Equifax to hold all their private information.  Obviously Equifax has never taken their obligations to Americans seriously.  I've had a couple run-ins with them, where they dragged their feet about updating my file; once to remove a lien I had long since settled, and another time to include the fact I had paid off a car and eliminated the lender as loss payee.  Both times I had to deal with unmotivated employees who had no authority to do anything, and obviously were not encouraged to act.  I provided all paperwork and verification of the paperwork; they did nothing.

If you want to have a lot of fun, get the IRS to document they've released a satisfied lien, and then get Equifax to acknowledge that on your credit report.

Equifax, along with Experian and TransUnion, are consequences of the overall Federal Reserve system.  When we allowed private banks to run our entire system of Finance, we removed every bit of leverage We The People have over our own economy.  The banksters create multiple credit bureaus to act as liability firewalls in both directions; they can avoid risk and liability through their strawman companies.

Equifax posted profits of about $480,000,000 on revenues of about $3,500,000,000 last year.  I believe their total Market Cap is about $17,510,000,000.

143,000,000 of us had our financial ID information stolen because Equifax couldn't be bothered to secure it.

If the Feds seized all of Equifax's profit and split it evenly among each of us victimized, we'd each get about $3.36.

If the Feds seized every share of Equifax stock and split it evenly among each of us victimized, we'd each get about $122.45.

Of course that's an impossibility.  If the Feds were to do anything the value of Equifax stock would sink to current Enron levels.  Not to mention, since we've all been corralled into the stock market as the only source of return on savings, we probably all already own some Equifax stock.

The best thing the Feds could do is to give us all new Social Security numbers, and enforce the laws that state the Social Security number is to be used only for Social Security, not as a de-facto national ID.  Then we need a separate ID system to be used for financial purposes, with the ability for us to change our username and password as with any other such ID.  And nobody should be able to access any of our personal financial data without our verified personal approval.  Public records are, of course, different.

But that's not going to happen either.  True security of financial information would close all the loopholes and illuminate all the gray areas.  Ever wonder why credit card companies are willing to just eat fraudulent costs?  Because that's the trade-off for their ability to make enormous sums handling the money in the international drugs and weapons markets.  They pay out fraud claims with money skimmed from all the various global intelligence agencies and organized crime.  You see the photos of pallets of bales of crisp US $100 bills?  Those all came from a bank, and from the Federal Reserve.  Somebody in Bogota, Columbia did not get that currency by pulling out $200 a day from an ATM over decades, if not centuries.

They're sure as hell not going to make you and me whole, and they won't have to.

Far better for you and me to lock down our own files, require proof of a signature from ourselves before we accept any responsibility for any credit issued in our name, and let the whole system collapse in on itself.  Sure, it might take a few hours longer to buy a car or a house or get a new credit card or a loan.  So what?  The inconvenience is worth it to me and harms me not at all.  It might harm the lenders, who might have to hire some people to implement actual security, but that's not my problem.  This type of fraud wasn't a problem of any consequence 30 years ago, and commerce got done just fine.

Think for yourself's picture

There's a blockchain for that. Cryptographically secured and immutable identity ledger to share access on a case-by-case basis. CVC (Civic). I have to look more into it, parked 20$ for now just to test the waters but it might have real potential - not only as a crypto with nice fundamentals for growth but also providing a service i really believe in.

bluez's picture

Maybe much better to leave social security the hell alone and just issue new "personal designation numbers"!

SixIsNinE's picture

that's the old Algore defense : lockbox bitcheZZZ

but then he bowed down to the shrub and ate it in return for the BillionZZZ for being the Climate ChangerHoaxer Supreme !

Algore the Ultimate slimysalesman fraudster crooked stanking bitcchyyshithead


Conservative Calitopian's picture

Excellent points sir SWMNGUY!

runswithscissors's picture

Draw & quarter richard smith of the equifax 

boattrash's picture

My list, which is actually a scroll, has a shitload of people ahead of Richard Smith.

JLee2027's picture

The crooks can now file phony tax returns by the tens of millions to get fake EITC payments


The entire system has collapsed. It's over. Matter of time.



gregga777's picture

Silly people. The outrage from the usual and unusual political parasites is all performance theater. Prosecutors don't prosecute crimes by CONporations, political parasites, Oligarchs, etc. That's where all of their bribes come from. The Law in the United States of America is only applied to protect the status quo elites and CONporations from the American People. And if that doesn't work they just murder the offenders ala Ruby Ridge, the Branch Davidians at Waco, the Oregon Wildlife Occupation, innumerable shootings by the cops, etc.

SixIsNinE's picture

gregga!  what!?  you mean to tellme alll these teh switttweitwitterStormZZZees i'z a been hearing about is just a performance theater?!

no wayz a Mister Gregga!

Twits&Twats dont' lies to us a Missa Gregga!



say it ain't so Massa Gregga!

Obsidian Samctum's picture

Hopefully someone takes my identity so I can disappear.

Oracle of Kypseli's picture

A bunch of us checked in at the Marriott and all CC's were compromised. Apparently the staff sold the info. Except mine as once someone told me to put an error either in the zip code or the street number, or phone etc. when you fill out the cards at the check in counter.


SixIsNinE's picture

consult Prince David Bowie for details

Naruhodo's picture

It's better you create many dopplegangers of yourself, that way you can always push the blame around.

"It was not me but the other me who ran away with the money".Will future human cloning be debt free?

besnook's picture

i was hacked by a nice thief. they only took 300 dollars.

consider me gone's picture

See? There are good and decent thieves still  out there.

chunga's picture

It seems to me third parties that mishandle peoples' identities should be liable for all damages that result from their negligence.

consider me gone's picture

All the credit agencies should have put every identity on lock by now. For free. I mean come on, 150 million identities out there to the highest bidder? 


Creepy_Azz_Crackaah's picture

Yeah, I did mine a few years ago. It ended up being free since some of my account info might have been compromised in a hack at some corp. I think my credit union. . Everyone should freeze their credit checks.

Creepy_Azz_Crackaah's picture

Then again, there are two people who want their credit easily checked and stolen from the a$$hole credit rating companies. LOL!

Ben A Drill's picture

Could someone please explain to me how a CC is safer with a chip? Seems to me that online sales don't factor in the chip or makes no difference.

Nor does the fact that less than 1K in a transaction even get flagged by a cashier. How many times have you made a transaction without a cashier asking for ID.? At a gas pump all you need to know is the zip code. How safe is that if the crooks have all your information.

I bought a wallet that was lead lined so I couldn't be hacked. Not to say that the restaurant I went to copied all my info on my card and sold or used it. Same goes with going to the doctor, dentist, or any establishment that has video cameras that can zoom in and get your CC info.

In my book cash is king in these sanarios.

Naruhodo's picture

You're not any safer with more of your personal details being held centrally by crooks. They'll find ways of how to manipulate them creatively for their own gains.It's like entrusting a thief to guard your personal vault or a fraudster to keep your sensitive documents.


Best is still hard cash and gold. Cut up all your electronic based bank cards.It is not worth the convenience in exchange for your personal data.

cynicalskeptic's picture

Wait until we're all chiped.  You won't be able to buy anything without your RFID chip.  You won't be able to even log into your smart phone or computer without it.  Any phome or online purchases will require verification through built in scanners.

All for your protection.

canisdirus's picture

The chips are highly secure. They require direct contact with a reader and have a challenge-response process that must complete successfully for the card to be used. The thing to worry about are the magnetic strips on a card, which contain unencrypted data that is generally moved unencrypted through a merchant's card processing network. The recent Target breach was of this type... Only superstitious and uninformed people believe the chips on their cards are wireless. The vendors selling blocking wallets are preying upon this ignorance. The banks did play with contactless card tech years ago, but I haven't seen a card with it issued in nearly 10 years (you can tell by a logo on the card that looks like a wifi symbol on it's side with extra lines). Our smartphones now use the receivers built into card terminals for NFC payments, which are at least as secure as chip readers. The only remaining contactless tech that is insecure that you probably possess is in your passport. That is the one case where an "RFID-blocking" case is worth the extra. Your wallet likely has nothing that can be read remotely.

Rebelrebel7's picture

Yep. Trading on that without notifying Congress so that they could reap on the volatility is criminal.

Rebelrebel7's picture

Martha Stewart goes to jail Goldman Sachs and JPM go to the whitehouse. 

That is what happens when you are intelligent enough to create your own Empire. Now Trump is learning that. 

It gives the Wall St. And university Collectivists a nervous breakdown that you are smarter than they are and may not need them, because they can't do it on their own.

Tylers can though.  Zero Hedge is a doozy of a business ! I love them  for it!

Parrotile's picture

Not intelligent, but connected (with the "right" people).


With Parents who understood that it's not WHAT you know, rather WHO you know, that leads to a prosperous, easy life.'s picture

Maybe they can drag Martha Stewart out of her kitchen and prosecute her to satisfy the thirsty beast.

Rebelrebel7's picture

Evedintly,  you are either very young, or have been on a really long bender. I would place all of my chips  on bender.

StephenHopkins's picture

They gave my identity back and put a C note in my account.

Lumberjack's picture

Musta been that Nigerian Prince.