It’s possible to dip your toe into online fraud for less than the price of a coffee, according to new research into the illicit sale of hacking tools on the dark web. Among the cheapest items traded are fake pages and password hacking tools for a massive array of brands from Apple and Facebook to Walmart and Amazon, selling for around $2.
For more details on the websites and apps affected see the brands section of our findings. For UK-focused data refer to the UK edition of the Dark Web Market Price Index.
We also discovered that for as little as around $125 you can buy an impressive set of hacking tools that would permit a cybercrime spree, from infecting people with malware to hacking WiFi networks, all with a view to stealing personal info to commit identity theft.
Other pocket-change hacking tools include keyloggers ($2.07 on average), WiFi hacking software ($3), Bluetooth hacking tools ($3.48) and even powerful malware for not much more than most people spend on their lunch (Remote Access Trojans, $9.74).
At the other end of the scale, we found powerful devices typically used by the police that spoof cell towers and can intercept cell data, with the highest bandwidth versions listing at $50,000.
The alarmingly low barrier of entry to online fraud is lowered even further by the proliferation of hacking manuals typically selling for $9 or less or even thrown in for free as a sweetener with the sale of hacking tools.
Most of us have dozens of online accounts that can be hacked with the right tools and techniques. Our team of security experts reviewed tens of thousands of listings on five of the most popular dark web markets; Dream; Point; Wall Street Market; Berlusconi Market; and Empire. These encrypted websites, which can only be reached using the Tor browser, allow criminals to anonymously sell hacking tools, along with all sorts of other contraband, such as illicit drugs, stolen info and weapons.
We focused on listings featuring hacking software and hardware, digital files used in fraud, guides for online scams, and fraudulent accounts to create this edition of the Dark Web Market Price Index. We analyzed each listing and calculated average sale prices for categories of items sold to help the UK public understand just how easy it is for a rookie fraudster to get started.
Dark Web Market Price Index – Hacking Tools (July 2018 – US Edition)
|Item for Sale||Average Sale Price|
|Tools||Password Hacking Tool Custom Files||$1.96|
|WiFi Hacking Software||$3.00|
|Bluetooth Hacking Software||$3.48|
|FBI/NSA Hacking Tools||$5.64|
|Cryptocurrency Fraud Malware||$6.07|
|Remote Access Trojan||$9.74|
|Password Hacking Software||$50.64|
|Cryptocurrency Miner Malware||$73.74|
|Cell Tower Simulator Kit||$28,333.33|
|Postal System Stealth||$3.35|
Source: Dark web market listings collected over July 2-25 2018. Markets monitored were Dream, Point, Wall Street Market, Berlusconi Market and Empire Market. Prices collected in USD and converted to GBP using exchange rate at time of listing.
Sale Prices Explained
Password Hacking Tool Custom Files
Numerous password cracking programs are only a Google search away even on the normal web. Legitimately useful for improving server security by discovering weak passwords, they can also be used maliciously.
Requiring proper configuration for each target, enterprising hackers are selling files containing customized settings for pretty much any app or website you can think of, from email and social media to gaming and online shopping. Each one will typically set you back just $1.96. We collated a list of brands that we found with such files advertised but there’s many more appearing daily.
Simple yet effective software that captures every keystroke on your computer. It can be installed a number of ways, including remotely, and is used by scammers to grab login credentials and fraudulently access accounts. The average price on the dark web was just $2.07.
Phishing – or the fraudulent attempt to obtain personal information by pretending to be a trusted entity, such as a popular website or financial institution – is one of the most common ways cybercriminals steal not only logins but what credit card hackers call “fullz”, or the full package of identifying information that enables identity theft.
We found that ready-made phishing pages for the world’s most popular consumer brands proliferate on the dark web, driving the price down to a near-uniform $2.07. We noted that the only brands to cost more than this were Apple, more than double the price at $5.11 and Netflix at $3.54 suggesting the greater value of their customers to scammers.
WiFi Hacking Software
This type of software is intended for testing and improving the security of your wireless network by brute forcing passwords and sniffing the data being broadcast. It may be illegal to use it on a network without permission from its owner but that won’t stop hackers determined to steal your data.
It’s possible to access this type of software for free on the normal web, so dark web vendors sell cheaply ($3) and tend to offer bundles including additional resources and even customer support to tempt buyers.
Bluetooth Hacking Software
The Bluetooth hacking software we discovered had a very specific purpose: to hack smartphones and call premium numbers, racking up the cost on victims’ accounts. The average cost was $3.48.
Note, the more typical type of Bluetooth hacking tends to be done via hardware gadgets sold on the normal web.
FBI/NSA Hacking Tools
The series of leaks of US intelligence agency cybertools in recent years has put some extremely powerful hacking tools in the public domain and arguably led to an increase in cybercrime. Massive bundles of this professional grade software are being traded for the price of a beer ($5.64), despite notionally being worth thousands of dollars.
We discovered listings offering tools that among other things could:
- retrieve deleted texts from smartphones
- bypass lockscreens
- find passwords to encrypted backups
- extract data from cloud services
- decryption of items protected by BitLocker, TrueCrypt and other encryption services
- retrieve passwords from numerous applications
Cryptocurrency Fraud & Miner Malware
Cryptocurrency, such as Bitcoin or Monero, is very attractive to cybercriminals due to its potential for anonymous transactions and rocketing value. We found two types of malware relating to crypto: tools for either stealing it or creating it.
Malware, or malicious software, tends to be implanted on victims’ computers to cause mischief of some kind. The crypto fraud malware we found sells for $6.07 and promises to steal a target’s Bitcoin, currently trading at over $7,800 at the time of writing.
As there is no central bank issuing new notes, cryptocurrencies are instead created by “mining”, ie the performing of calculations required to verify transactions.
It becomes exponentially more difficult to do this as miners compete to complete the calculations, so the more processing power you have, the more currency you can generate. One way to cheaply scale up processing power is to infect as many people as possible with mining malware and run the process in the background on multiple machines.
The malware we found was for Monero rather than Bitcoin as it’s less valuable – it was trading at $141 at the time of writing – and therefore easier to mine. Nevertheless, this malware commands an average of $73.74 on the dark web, and sometimes much more than that.
This is a catch-all category that includes other kinds of hacking tool not covered elsewhere in our index. It includes tools for checking credit card balances, phone passcode bypassers and a tool for hacking PCs via RDP (Remote Desktop Protocol).
Remote Access Trojan
This particularly nasty strain of malware allows a hacker to take full control of your computer. Not only can they log all your keystrokes and access private files in order to commit identity theft and defraud you, but it’s unfortunately also common for voyeurs to use these so-called RATs for webcam spying.
We found several listings for the notorious and extremely powerful Blackshades RAT that’s believed to have infected over half a million devices. This trojan also allows hackers to include infected computers in a botnet. We also found RATs for use on the Android operating system. The average cost for these powerful tools was just $9.74.
Rookie hackers can pay to cover their tracks with a range of anonymity tools that trade for an average of $13.19. These include custom web browsers, such as the heavily modified version of Firefox dubbed FraudFox VM, and crypters, tools that disguise malware as benign files. We also found anonymous SMS and phonecall spoofers for use in scams, each costing less than $1.
We found a wide range of digital templates for bank statements, utilities, passports, pay stubs and driving licenses with detailed guides on how to use them effectively. The typical price for these files was $13.97, reflecting their value when used in combination with stolen information to open lines of credit.
When used with cheap and readily available hardware, this very powerful software allows con artists to clone credit and debit cards and changes hands for an average of $44.37. It sells for over $2,600 through official channels.
Password Hacking Software
We found a wide pricing spectrum for password crackers. The most expensive was over $750 for a program designed to crack accounts at a popular Canadian loyalty program that’s already been the subject of a high-profile attack. More common were programs designed to brute force passwords for social media, with Facebook and Instagram heavily targeted, and more general account crackers promising access to Netflix, Spotify and Amazon among others, costing well under $10.
Among the malware we found (costing $45 on average) were custom instances of ransomware that will lock up your computer, permanently encrypting its contents unless a ransom is paid. Vendors boasted that their malware was undetectable by antivirus and could be customized based on your own preferences. We also found the Blackhole exploit kit for sale, a method of spreading malware and once described as the most notorious malware of its kind.
A vital part of a successful scam will often be a secure destination for the ill-gotten gains, whether that be an unsuspicious account or a postal address with no connection to the fraudster. This is reflected in the relatively high cost of such items on the dark web at $145.05 on our index.
We found listings for Swiss Post accounts claiming to be fully verified and “not hacked – nobody knows about their existence, so you can use them securely”. We also found aged and verified Paypal business accounts and other similar accounts.
Cell Tower Simulation Kit
These kits may set you back up to $50,000 but they are incredibly powerful devices, known as IMSI-catchers or more colloquially as “stingrays”. They are typically used by police and intelligence services to secretly intercept mobile phone traffic.
A hacker with a stingray could spoof a mobile phone tower sending out signals that forced nearby devices to connect, identify themselves and send texts and calls through the fake tower. This kind of dragnet would scoop up an incredible amount of data for a hacker to take advantage of.
Thanks to the dark web, lack of knowledge or technical experience is no barrier to successfully committing cybercrimes. Not only are the tools available for pocket change but manuals to committing these deeds are also similarly cheap and easy to access.
As well as step-by-step guides on how to hack accounts or infect people with malware, we also discovered exploits for sale. These listings were sometimes very expensive (over $9,000 in one instance) and promised to share details of vulnerabilities that would net the buyer many thousands of pounds profit.
Other more disturbing guides advertised methods for targeting the young userbase of popular video game Minecraft for infection with the remote access trojans discussed above.
We selected the following suite of tools that would allow a wannabe hacker to commit online fraud in the most common ways while also avoiding detection in order to determine the financial barrier of entry to this type of cybercrime. The total average cost was $125.71.
|Item||Average Sale Price|
|Cryptocurrency Fraud Malware||$6.07|
|Remote Access Trojan||$9.74|
|WiFi Hacking Software||$3.00|
We found phishing pages and password hacking tool custom files on sale for over 60 major apps and websites. For around $2, these items are designed to not only give scammers to those particular accounts but also get enough of a foothold into your personal data to commit identity theft. Once a hacker has pieced together enough of your personal info, they can open lines of credit in your name and cause you major problems that can be life-altering and very time-consuming to resolve.
These are some of the biggest brands we found, for the full list see our dark web market brands data set.
|Brand||Average Sale Price|
Has Your Data Been Stolen?
Check if your login information has been stolen in a breach. The Have I Been Pwned tool helps identify accounts that have been breached. If an email address you insert returns leaked passwords, you need to stop using those passwords immediately.
Get a Secure VPN
Use a VPN service regularly, if not all the time. A VPN hides your IP address and adds a layer of encryption to your internet connection. This is ideal to stay secure, particularly on free and insecure public WiFi. Read our review of ExpressVPN, one of the most secure VPNs, which also uses HTTPS Everywhere to secure your traffic when you visit insecure HTTP-only websites.
Use a Password Manager
Start using password manager software, which generates secure passwords and saves your login credentials in a secure app. You can then autofill your login data into sign-in forms, so you no longer need to type it in. This way keylogger software can’t capture your sign-in information.
Delete Accounts You Don’t Use
If you have online accounts that you no longer need, delete them permanently. The data these accounts contain can be used for identity theft if it falls into the wrong hands. Criminals can also use it to log into your more important accounts, especially if you’re using similar passwords.
Enable Two-factor Authentication
Two-factor authentication (2FA) makes it much harder to hack into an online account. With 2FA enabled, you’ll need to confirm it’s really you trying to log into a website or application. Usually, you have to confirm your login attempt by providing a unique six-figure number sent to you via SMS, or via an Authenticator app. We recommend you choose the latter method.
Our team reviewed all fraud-related listings on five of the largest dark web markets, Dream, Point, Wall Street Market, Berlusconi Market and Empire Market over 2-25 July, 2018. Relevant listings were collated and categorized in order to calculate average sale prices. Prices were collected in USD and converted to GBP using the exchange rate at the time of listing ($1.31 rate).
Dark Web Market Price Index: Hacking Tools (July 2018)
Refer to the main edition of Dark Web Market Price Index for stolen consumer data pricing.
The authors of all our investigations abide by the journalists’ code of conduct.