惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
H
Hacker News: Front Page
N
News and Events Feed by Topic
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
K
Kaspersky official blog
Forbes - Security
Forbes - Security
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
P
Privacy & Cybersecurity Law Blog
H
Heimdal Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
T
Tenable Blog
T
Tailwind CSS Blog
P
Privacy International News Feed
WordPress大学
WordPress大学
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
博客园 - Franky
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
Vercel News
Vercel News
A
About on SuperTechFans
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
The Last Watchdog
The Last Watchdog
Engineering at Meta
Engineering at Meta
Spread Privacy
Spread Privacy
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 司徒正美
量子位
博客园 - 三生石上(FineUI控件)
J
Java Code Geeks
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Martin Fowler
Martin Fowler
Project Zero
Project Zero

Search Security Resources and Information from TechTarget

How to operationalize threat modeling with AI | TechTarget CISO First fully agentic ransomware attack sparks readiness concerns | TechTarget Evaluating secure enterprise browsers vs. security plugins | TechTarget The AI vulnerability storm is here: Is your security program ready? | TechTarget Perimeter to posture: A roadmap to zero trust maturity | TechTarget TLS certificate lifetime changes: What CISOs must do now | TechTarget The agentic AI 8 key aspects of a mobile device security audit program | TechTarget Why mobile security audits are important in the enterprise | TechTarget Beyond the perimeter: The shift to data-centric protection | TechTarget How agentic AI threat intelligence aids NGO cyber defense: Case study | TechTarget How to conduct a mobile app security audit | TechTarget NO FAKES Act advances: What CISOs need to know | TechTarget What CISOs should know about AI runtime security | TechTarget As Q-Day looms, 90% of systems are unprepared for PQC | TechTarget A CISO Most security pros say their culture is Zscaler lays out its vision to secure the AI era at Zenith Live | TechTarget The OpenClaw security risks every CISO needs to know | TechTarget Cloud security metrics and KPIs: A CISO Florida public sector training on SimSpace cyber range: Case study | TechTarget Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion How to find cyber-risk data sources for a FAIR analysis Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI The breakup: Why CISOs are decoupling data from their SIEMs | TechTarget News brief: Security worries and warnings as AI use expands How to construct an effective security controls evaluation 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness Is SOAR dead or alive? Sort of The push for digital sovereignty: What CISOs need to know Beyond awareness: Human risk management metrics for CISOs Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces How AI caught a malicious North Korean insider at Exabeam Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
Data after the breach: Economics of the dark web
Sean Michael Kerner · 2026-05-11 · via Search Security Resources and Information from TechTarget

A breach is just the beginning. Once extracted, data moves through a sophisticated supply chain. Peek inside the dark web economy that turns stolen credentials into billions of dollars in profit.

When sensitive data is stolen in high-profile data breaches, the information doesn't simply vanish into a digital void. Data extraction is just the beginning of a calculated journey through a sophisticated criminal economy where files are tested, packaged, priced and listed on dark web marketplaces. There, buyers ranging from fraud rings to nation-state actors bid for access, after which the information is used to commit a host of cybercrimes.

The dark web is an encrypted layer of the internet intentionally hidden from casual browsers. Accessing the dark web requires anonymizing software, often using Tor, which routes traffic through encrypted multihop relays and resolves .onion addresses invisible to standard DNS. The commodities traded on the dark web include credentials, payment card data, personally identifiable information (PII), healthcare records, corporate network access, ransomware-as-a-service kits and forged documents.

With the FBI's Internet Crime Complaint Center reporting cybercrime losses exceeding $20.9 billion in 2025, a 26% increase over the previous year, it's clear that threat actors are exploiting a dynamic market that converts stolen data into reliable cash, making criminal investment in organized attacks highly lucrative.

The dark web is that market.

A professionalized supply chain: The players

The dark web operates with role specialization that mirrors a commercial supply chain.

  • The collectors. Phishing crews, infostealer operators and ransomware groups extract the raw data. Verizon's "2025 Data Breach Investigations Report" found that credential theft was present in 22% of breaches, 20% of exploited vulnerabilities and 16% of phishing activities. Flashpoint's "2025 Global Threat Intelligence Report" tracked more than 23 million hosts infected with infostealers, resulting in 2.1 billion harvested credentials.
  • Initial access brokers. IABs specialize in the intrusion phase, selling verified network access rather than executing attacks themselves.
  • Marketplace operators and aggregators. The platform layer includes BreachForums, Russian Market, 2easy and a growing number of Telegram channels. Operators collect listing fees while providing escrow systems, reputation scoring and dispute resolution. These markets often operate with commercial-grade controls.
  • The buyers. Fraud rings form the largest demand segment, acquiring PII, "fullz" -- complete identity packages -- and card data for account takeovers, synthetic identity fraud and fraudulent loan applications. Ransomware affiliates and nation-state actors buy IAB listings and proceed directly to encryption and exfiltration.

Dark web prices and payment

Pricing on dark web markets follows consistent logic, dictated by data freshness, completeness, validity and country tier.

DeepStrike's August 2025 dark web analysis, drawing on Trustwave, SOCRadar and live market data, found U.S. credit card data with CVV demand $10 to $40, while a card with a verified $5,000 balance fetches $110 to $120. Healthcare records can cost $500-plus per record and, unlike cards, they cannot be canceled or rotated. According to Check Point's 2025 IAB report, most corporate access listings price between $500 and $3,000, with domain admin credentials commanding far more.

Payments are almost always made with cryptocurrency. Bitcoin is common for ransomware transactions, while Monero is preferred for marketplace trades due to its built-in privacy features. Stablecoins, primarily USDT, account for 63% of illicit crypto volume according to Chainalysis's "2025 Crypto Crime Report."

Market scale and the data lifecycle

The dark web's stolen data market operates at measurable scale. KELA's "State of Cybercrime 2026" report tracked 2.86 billion compromised credentials circulating across criminal markets in 2025, spanning infostealer malware, breach databases and underground marketplaces.

Once extracted, stolen data moves through four distinct stages:

  1. Aggregation. Credentials are tested against live services before listing, with verified pairs commanding higher prices.
  2. Packaging. Material is assembled into combo lists, fullz bundles or stealer logs with one folder per infected machine containing browser passwords, cookies, autofill data and crypto wallet files.
  3. Listing. The package is posted on a marketplace, often within hours of capture.
  4. Distribution and reuse. Buyers purchase data; monetize it through fraud, account takeover or further intrusion; and often resell the information. Recaptured identity records circulate in criminal markets for years, generating losses for organizations long after the breach that produced it.

Law enforcement: Progress and limits

Prosecution for cybercrime remains the exception. Most operators work from jurisdictions with no extradition agreements with the U.S. or the EU. For example, LockBit leader Dmitry Khoroshev remains in Russia despite a $10 million U.S. State Department reward. BreachForums has been seized and reconstituted multiple times since 2023, with the most recent disruption in October 2025. While each takedown demonstrates what is possible, the reconstitutions demonstrate the limits.

Multi-agency operations have produced some promising results, however. For example:

  • Operation Cookie Monster. In April 2023, the FBI-led takedown of Genesis Market -- a dark web platform selling browser fingerprints, cookies and session data from 1.5 million compromised machines -- resulted in 119 arrests across 17 countries.
  • Operation Cronos. In February 2024, the National Crime Agency, FBI and Europol seized 34 LockBit servers, shut down the group's dark web leak site used for extortion, froze 200 cryptocurrency accounts and unmasked Khoroshev.
  • Operation RapTor. In 2025, the Europol-coordinated dark web crackdown targeted vendors across multiple dark web platforms, resulting in 270 arrests across 10 countries.

What CISOs need to do now

For security leaders, the dark web's underground economy changes monitoring priorities, risk thresholds and incident response assumptions. Security teams should consider taking the following actions to reduce risk.

Use the dark web for risk intelligence

Credentials surface in stealer-log data sets days before ransomware deploys. IAB listings target organizations by revenue range and sector, and ransomware leak sites name suppliers and customers alongside the primary victim. When monitored regularly, dark web intelligence can feed the security operations center with near-real-time criminal activity.

Bolster risk management

The dark web economy prices data based on freshness, completeness and usability. Data that cannot be quickly converted into access or fraud is less valuable on any marketplace. Three controls directly reduce that convertibility:

  1. Enforcing phishing-resistant MFA across all remote access, cloud admin and SSO entry points.

  2. Rotating credentials promptly on any stealer-log domain match.

  3. Applying the principle of least privilege across all accounts.

Incident response

A breach does not end when ransomware is contained or a card number is reissued. Stolen records circulate and are resold, sometimes for years, fueling downstream attacks enabled by the original incident. Organizations that treat containment as closure are routinely wrong. Preserve forensic evidence early, engage law enforcement while the trail is fresh and share indicators through Information Sharing and Analysis Centers.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Next Steps

Enterprise dark web monitoring: Why it's worth the investment

Dig Deeper on Data security and privacy