Our data is of great value to both companies and cyber criminals. There are hidden markets on which stolen information is traded. This includes credit card data, passwords and other personal information. Anonymous platforms on the darknet and messenger services such as Telegram facilitate this trade. The data often falls into the wrong hands due to security gaps or fraudulent methods. The misuse of stolen information can have serious consequences for those affected.

The dark side of the internet

The amount of information on the web is growing, with most people only accessing content on the surface of the web via traditional search engines. The deep web, on the other hand, is a huge collection of web pages, mostly from database-driven websites, which make up a large part of the entire web. These pages are invisible to traditional search engines. A hidden area of the internet, the darknet, is part of the deep web and is only accessible via specialized software such as the Tor browser, I2P or Freenet. Due to the guaranteed anonymity, it often serves as a platform for illegal activities such as cybercrime, drug trafficking and digital blackmail, but is also used for legal purposes such as whistleblowing or the protection of freedom of expression.

Myth and reality

The darknet is often described as a dangerous and secretive place that is used by criminals and terrorists for illegal activities. However, this myth fails to recognize the multifaceted aspects of the darknet. It was originally created as a response to the increasing surveillance on the internet, with the aim of ensuring anonymity and privacy. For people living in authoritarian states, it provides a platform where they can express their opinions freely without the risk of being persecuted or punished. In such countries, the darknet is an important resource for journalists and activists who might otherwise be silenced. On the other hand, the darknet is also exploited by criminals who use the encryption technologies and anonymity to operate illegal markets. These markets include not only the trade in drugs and weapons, but also the trade in stolen data. The darknet is therefore a double-edged sword whose use brings both opportunities and risks.

Why our data is valuable

Data determines economic decisions, drives innovation and is of interest to companies and criminals alike. Every click, every search query and every interaction on the internet leaves digital traces that provide detailed insights into our identity, preferences and financial circumstances. However, the true value of data goes beyond its immediate monetary benefit. Data not only has a direct value, for example in the form of unique industry-specific information, but also a potential value that can be leveraged through targeted analysis and the use of artificial intelligence. Historical data is particularly valuable as it forms the basis for precise forecasting models and can predict future developments. Companies that strategically evaluate data can gain a competitive advantage as a result. But it is not only companies that benefit from the flood of data. Sensitive information such as credit card data, passwords or medical records are traded as valuable commodities on the darknet. Cyber criminals use advanced techniques to steal data, sell it on or misuse it for identity theft and fraud. The value of our data results not only from its commercial use, but also from the risks associated with its misuse. In an increasingly data-driven world, it is clear that data is a central asset of our digital society and requires conscious and secure handling.

Where stolen data is traded

Stolen data has greatly increased in trading value on the Darknet. The expansion of data trading can be attributed to several factors. The increase in data breaches and data leaks has led to more personal data being available for trading on the darknet. This is also reflected in a study, according to which the distribution of stolen data increased elevenfold between 2015 and 2021. Due to its high level of anonymity, the darknet enables this data to be traded undetected, making it easier for criminals to conceal their identity and evade prosecution. In addition, the use of cryptocurrencies facilitates anonymous transactions, which further simplifies the trade in stolen data. At the same time, the professionalization of darknet markets has led to a safer and more efficient trading environment. These markets offer user-friendly interfaces and reliable services, further fueling the trade in stolen data. Finally, the growing demand for stolen data used for illegal activities such as identity theft, fraud and phishing is helping to strengthen the market.

Darknet markets

Stolen data is mainly traded on specialized marketplaces on the Darknet. These marketplaces are usually accessible via the Tor network. Tor protects both buyers and sellers by encrypting their internet connection and routing it through various nodes, making it much more difficult to trace. One of the best-known marketplaces is BreachForums, which is considered a major player in the digital black market for leaked data.

BreachForums is divided into several sections that focus on specific types of data breaches. One of the main categories is Databases, where stolen databases are published, often containing sensitive information. In addition, there is the Stealer Logs category, where logs from Infostealer malware are shared. These often contain login credentials that have been stolen by malware on infected systems. Another relevant section is Cracked Accounts, where compromised user accounts for various online services are published. There is also a section called Combolists, where lists of username/password combinations are shared that can be used for credential stuffing attacks.

In addition to these main categories, there are other sub-forums, such as Games, which specializes in leaks of game codes, plugins and other gaming-related content. The Other Leaks section also enables the sharing of various data leaks that do not fall directly into the other categories. There is also the Database Discussion section, where users can discuss database leaks and make specific inquiries about certain data sets. A rather unusual category is HackTheBox, which deals with hacking exercises and is used for skill development.

The high number of threads and posts in the various categories shows that this platform has a large and active community. BreachForums is therefore a central point of contact for cyber criminals who want to distribute or acquire stolen data.

A look at the published data shows that information from Switzerland is also traded on BreachForums.

In the categories for databases, stealer logs and combolists, there are always entries that point to leaked customer data, access data to Swiss online services or compromised business data. This shows that Swiss companies, authorities and private individuals are also affected by data theft and that their information is circulating on such digital black markets. The global networking of such forums makes it difficult to protect against these threats, as stolen data is traded anonymously and without geographical restrictions, regardless of its origin. There are also markets on which not only data but also other illegal goods are traded. One example of this is the ASAP marketplace.

The user interface is similar to that of a regular online marketplace with categories, search functions and a shopping cart system. On the left-hand side is a list covering a wide range of illegal products. These include drugs such as stimulants, cannabis and hashish, opioids, psychedelics and ecstasy, as well as fraud and financial data, including bank accounts, credit card details and other sensitive information. In addition, digital goods such as hacking tools, software, security applications and tutorials are offered, as well as counterfeit products. Reviews are used to build trust between buyers and sellers.

Telegram as the linchpin

In recent years, Telegram has not only established itself as a popular messaging platform, but also as a central trading hub for illegal activities, including the trade in stolen data. A decisive factor in Telegram’s appeal in the criminal milieu is the ability to operate anonymously. While many other platforms require identity verification, a Telegram account can only be registered with a telephone number. This hurdle can be easily circumvented by using anonymous SIM cards or virtual numbers. The structure of Telegram also facilitates access to illegal markets. While darknet marketplaces require special technical infrastructure such as the Tor browser, Telegram can be accessed with just a few clicks. Interested parties can quickly find access to relevant groups and channels via web searches, forums or social media. The criminal networks on Telegram are often well organized. For example, there are specialized groups for different types of data leaks. Sellers present their offers in public channels, while transactions are mostly conducted in private chats or via automated bots. These bots facilitate trade by providing price lists, taking orders or even automatically responding to customer queries. Despite increasing criticism of Telegram’s role in cybercrime, the platform only takes limited action against illegal activities. Although channels are occasionally blocked, new groups are usually created within a few hours. In some cases, however, Telegram has begun to assist law enforcement agencies with investigations, particularly in cases of serious criminal activity.

How our data ends up in hidden markets

The more information there is, the greater the risk of it falling into the wrong hands. The methods by which this data is stolen range from direct attacks on companies to sophisticated deceptive maneuvers against the users themselves. Companies are often the target of hacker attacks due to their extensive data collections. In the event of a data leak, sensitive information is stolen and often ends up on darknet marketplaces. Such security breaches are usually caused by inadequate security measures, such as outdated software or a lack of encryption. Phishing and social engineering are other common types of attack in which attackers use deception to gain direct access to users’ personal data. Phishing is usually carried out using fake emails that appear to come from trustworthy institutions and contain a link to a fake website. Social engineering exploits the victim’s trust, for example by making fake calls or manipulating social networks in order to steal data or install malicious software. Another threat is malware, a collective term for malicious software that is infiltrated into systems in order to steal data or cause damage. Keyloggers, a special form of malware, record users’ keystrokes and are usually invisible to them. The captured data is either sold on the black market or used for later attacks.

What happens to stolen data

Stolen data is traded on illegal marketplaces and used for various criminal activities. A common form of misuse is identity theft, where perpetrators use victims’ personal information to carry out financial transactions or conclude contracts in their name. In addition, stolen credit card data is misused for unauthorized payments or money withdrawals. Another area of application is the takeover of online accounts. Through phishing or data leaks, cyber criminals gain access to login data and take control of other people’s accounts. They use these, for example, to sell illegal goods, whereby the traces initially lead to the actual owner of the hacked account, while the perpetrators remain hidden. Stolen data can also be used to blackmail or expose those affected. Perpetrators threaten to publish sensitive information in order to extort ransom money. The many ways in which stolen data can be misused are complex and do not end here.

Example Switzerland

After the cyberattack on the Bernese IT company Xplain in May 2024, stolen data was published on the darknet. An analysis by the Federal Office for Cybersecurity (BACS) revealed that around 65,000 of the 1.3 million data records published were relevant to the Federal Administration. Around 9,000 of these documents could be attributed to the Federal Administration, with around 14 percent containing sensitive content such as personal data, technical information, classified data and passwords. The hacker group Play, which was responsible for the attack, had captured 900 gigabytes of data. As Xplain did not respond to the ransom demand, the data was published on the darknet.

Measures against the trade in illegal data

Authorities and law enforcement agencies are constantly trying to shut down illegal marketplaces and chats on messenger services where stolen or sensitive data is traded. But this often resembles a cat-and-mouse game. As soon as a platform is shut down, new forums pop up. A well-known example of this is BreachForums, which reappeared several times under a different name and also under a different onion link after being shut down by the authorities.

Despite these challenges, law enforcement agencies continue their efforts to uncover networks, identify perpetrators and curb trafficking. In addition to law enforcement agencies, specialized cybersecurity companies also make an important contribution to combating the trade in stolen data. At scip AG, we offer darknet monitoring services to inform companies about potential data leaks and the misuse of sensitive information at an early stage. Through the targeted use of our proprietary AI bots, we are able to infiltrate relevant darknet markets and perform real-time speech analysis. This enables us to identify transactions and actors that are of importance to our clients. As soon as a suspicious case is identified, our specialized darknet monitoring team is informed. They analyze the facts of the case and decide on the next steps, be it direct notification of the customers concerned, further monitoring or the publication of security-critical information to protect third parties. Our continuous monitoring extends not only to forums, marketplaces and messenger channels, but also to trafficking in stolen data, exploits and access points. The insights gained from this provide our customers with strategic advantages, help them to strengthen security measures in a targeted manner and minimize potential risks at an early stage. With our many years of experience and innovative technologies, we enable companies to protect themselves effectively against identity theft, fraud and loss of reputation.

Summary

Stolen data is being sold on the darknet and on messenger services such as Telegram. Criminals offer credit card data, access data and other sensitive information there. These are used for fraud, identity theft or blackmail. The data often comes from hacker attacks, phishing or malware. Both companies and private individuals are affected, as stolen information ends up on black markets and is misused. Switzerland is not safe either. Trading in stolen data remains a danger. Basic security precautions such as strong passwords, regular updates and caution with suspicious emails help to reduce the risk. scip AG supports companies with advanced darknet monitoring in order to provide early warning of data misuse and take targeted protective measures.

About the Author

Michèle Trebo graduated from the ZHAW with a bachelor’s degree in computer science and a master’s degree in business informatics and worked for six years as a police officer in cybercrime investigation and analysis. She is responsible for research on criminalistic topics such as darknet, cyber threat intelligence, investigations and forensics. (ORCID 0000-0002-6968-8785)

Links

• https://arxiv.org/pdf/2001.02300
• https://it-service.network/blog/2021/12/06/darkweb-gestohlenen-daten/
• https://link.springer.com/article/10.1007/s12117-024-09532-6
• https://link.springer.com/chapter/10.1007/978-3-658-28507-4_7
• https://link.springer.com/referenceworkentry/10.1007/978-3-642-55214-4_59-1
• https://www.aargauerzeitung.ch/schweiz/datenleck-beim-bund-brisanter-deal-gehackte-it-firma-xplain-geht-in-auslaendische-haende-ueber-ld.2685176
• https://www.bbc.com/news/articles/cvglp0xny3eo
• https://www.heise.de/news/Studie-Telegram-wird-zunehmend-zum-Marktplatz-fuer-Cyberkriminelle-6195626.html
• https://www.it-business.de/dark-web-birgt-immer-mehr-gestohlene-daten-a-1067903/
• https://www.itmagazine.ch/artikel/81745/Xplain-Hack_13_Millionen_Datensaetze_im_Darknet_gelandet.html
• https://www.kobold.ai/wert-von-daten/
• https://www.researchgate.net/publication/344333231_Relevance_of_the_Deep_Web_to_Academic_Research
• https://www.sciencedirect.com/science/article/abs/pii/S1389128621002188
• https://www.sciencedirect.com/science/article/abs/pii/S2214212622001016
• https://www.sciencedirect.com/science/article/pii/S240584402309477X
• https://www.sciencedirect.com/topics/computer-science/tor-browser
• https://www.scip.ch/?labs.20160114
• https://www.scip.ch/?news.20180516
• https://www.scip.ch/?research