by Thomas Holt, Michigan State University, [This article first appeared in The Conversation, republished with permission]

Every year, massive data breaches harm the public. The targets are email service providers, retailers and government agencies that store information about people. Each breach includes sensitive personal information such as credit and debit card numbers, home addresses and account usernames and passwords from hundreds of thousands – and sometimes millions – of people.

When National Public Data, a company that does online background checks, was breached in 2024, criminals gained the names, addresses, dates of birth and national identification numbers such as Social Security numbers of 170 million people in the U.S., U.K. and Canada. The same year, hackers who targeted Ticketmaster stole the financial information and personal data of more than 560 million customers.

As a criminologist who researches cybercrime, I study the ways that hackers and cybercriminals steal and use people’s personal information. Understanding the people involved helps us to better recognize the ways that hacking and data breaches are intertwined. In so-called stolen data markets, hackers sell personal information they illegally obtain to others, who then use the data to engage in fraud and theft for profit.

The quantity problem

Every piece of personal data captured in a data breach – a passport number, Social Security number or login for a shopping service – has inherent value. Offenders can use the information in different ways. They can assume someone else’s identity, make a fraudulent purchase or steal services such as streaming media or music.

The quantity of information, whether Social Security numbers or credit card details, that can be stolen through data breaches is more than any one group of criminals can efficiently process, validate or use in a reasonable amount of time. The same is true for the millions of email account usernames and passwords, or access to streaming services that data breaches can expose.

This quantity problem has enabled the sale of information, including personal financial data, as part of the larger cybercrime online economy.

eg: In headline of the following chart, U.S. doesn’t need periods.

The sale of data, also known as carding, references the misuse of stolen credit card numbers or identity details. These illicit data markets began in the mid-1990s through the use of credit card number generators used by hackers. They shared programs that randomly generated credit card numbers and details and then checked to see whether the fake account details matched active cards that could then be used for fraudulent transactions.

As more financial services were created and banks allowed customers to access their accounts through the internet, it became easier for hackers and cybercriminals to steal personal information through data breaches and phishing. Phishing involves sending convincing emails or SMS text messages to people to trick them into giving up sensitive information such as logins and passwords, often by clicking a false link that seems legitimate.

One of the first phishing schemes targeted America Online users to get their account information to use their internet service at no charge.

Selling stolen data online

The large amount of information criminals were able to steal from such schemes led to more vendors offering stolen data to others through different online platforms.

In the late 1990s and early 2000s, offenders used Internet Relay Chat, or IRC channels, to sell data. IRC was effectively like modern instant messaging systems, letting people communicate in real time through specialized software. Criminals used these channels to sell data and hacking services in an efficient place.

In the early 2000s, vendors transitioned to web forums where individuals advertised their services to other users. Forums quickly gained popularity and became successful businesses with vendors selling stolen credit cards, malware and related goods and services to misuse personal information and enable fraud.

One of the more prominent forums from this time was ShadowCrew, which formed in 2002 and operated until being taken down by a joint law enforcement operation in 2004. Their members trafficked over 1.7 million credit cards in less than three years.

Forums continue to be popular, though vendors transitioned to running their own web-based shops on the open internet and dark web, which is an encrypted portion of the web that can be accessed only through specialized browsers like TOR, starting in the early 2010s. These shops have their own web addresses and distinct branding to attract customers, and they work in the same way as other e-commerce stores. More recently, vendors of stolen data have also begun to operate on messaging platforms such as Telegram and Signal to quickly connect with customers.

Cybercriminals and customers

Many of the people who supply and operate the markets appear to be cybercriminals from Eastern Europe and Russia who steal data and then sell it to others. Markets have also been observed in Vietnam and other parts of the world, though they do not get the same visibility in the global cybersecurity landscape.

The customers of stolen data markets may reside anywhere in the world, and their demands for specific data or services may drive data breaches and cybercrime to provide the supply.

The goods

Stolen data is usually available in individual lots, such as a person’s credit or debit card and all the information associated with the account. These pieces are individually priced, with costs differing depending on the type of card, the victim’s location and the amount of data available related to the affected account.

Vendors frequently offer discounts and promotions to buyers to attract customers and keep them loyal. This is often done with credit or debit cards that are about to expire.

Some vendors also offer distinct products such as credit reports, Social Security numbers and login details for different paid services. The price for pieces of information varies. A recent analysis found credit card data sold for US$50 on average, while Walmart logins sold for $9. However, the pricing can vary widely across vendors and markets.

Illicit payments

Vendors typically accept payment through cryptocurrencies such as Bitcoin that are difficult for law enforcement to trace.

Once payment is received, the vendor releases the data to the customer. Customers take on a great deal of the risk in this market because they cannot go to the police or a market regulator to complain about a fraudulent sale.

Vendors may send customers dead accounts that are unable to be used or give no data at all. Such scams are common in a market where buyers can depend only on signals of vendor trust to increase the odds that the data they purchase will be delivered, and if it is, that it pays off. If the data they buy is functional, they can use it to make fraudulent purchases or financial transactions for profit.

The rate of return can be exceptional. An offender who buys 100 cards for $500 can recoup costs if only 20 of those cards are active and can be used to make an average purchase of $30. The result is that data breaches are likely to continue as long as there is demand for illicit, profitable data.

This article is part of a series on data privacy that explores who collects your data, what and how they collect, who sells and buys your data, what they all do with it, and what you can do about it.

Thomas Holt, Professor of Criminal Justice, Michigan State University

This article is republished from The Conversation under a Creative Commons license. Read the original article.