How cybercriminals sell credit card and VPN data on the dark web

5 Aug 2022

Image: © Gorodenkoff/

Cybersecurity researchers found that VPN credentials were the most expensive category of stolen data being advertised.

Stolen credit card data, VPN access credentials and other confidential info can be bought for as little as $8 on dark corners of the web.

That’s according to researchers at SpiderLabs, the hacking and investigation team of cybersecurity company Trustwave, who conducted an extensive study into what cybercriminals charge for stolen data on the dark web.

In a blogpost published this week, Trustwave said the team found a repository of financial and identity records along with VPN access to organisations being sold online illegally.

This activity is having an impact on those whose data has been compromised. According to an FBI Internet Crime Report, reported incidents of credit card fraud in the US resulted in nearly $173m worth of losses for victims in 2021.

Why sell?

Why are these valuable records being sold by cybercriminals when they can use the information themselves? The SpiderLabs team thinks the answer lies in expediency and convenience.

“Criminals opt to sell credit card and driver’s licence information wholesale instead to quickly cash out and to avoid the time and trouble required to use the assets,” the team wrote in the blogpost.

“Generally, threat actors’ activity is divided into business fields, someone is digging, attacking and others are selling data or extracting user information and using it to obtain money. If the hacker or group does not know how to use the stolen information – they sell it.”

It was also found that in most cases, what is being sold on a forum was previously sold or used by a hacker, meaning that a buyer does not always get first-hand hacked data.

As well as credit card and bank account details, stolen data found being sold on the dark web included  social security numbers, driver’s licences, passports and access to organisations through their VPNs.

VPN and bank account access

Data that can provide access to bank accounts can cost anywhere between $100 and $3,000, SpiderLabs found.

“The higher the amount that can be stolen, the more expensive the purchase. Additionally, the price correlates to how easy it is to access the bank account as some banks might not be easier for a criminal to fool,” it said.

VPN access credentials were the most expensive category of data that SpiderLabs found being sold on the dark web.

“This is logical considering what a threat actor can do once inside an organisation. Everything from stealing money, corporate espionage, IP theft, seeding malware and planting ransomware are all on the table once access is gained.”

In one instance, the team found an ad that asked for $5,000 for access to an unnamed corporate network. Another asked for $2,500 for VPN credentials to a Korean company with an estimated $7bn revenue.

“If a company has a solid cybersecurity defence in place even this level of access might not be enough to do severe damage,” SpiderLabs said. “The ability to use that access for malicious purposes will be limited in environments that are fairly restricting, use network segmentation and check for anomalies.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic