Corporate Email Accounts Sold for as Little as $2 on the Dark Web

According to analysts at KELA, at least 225,000 email accounts are currently for sale on the dark web. Access to stolen corporate email accounts can be purchased for as little as $2, with just a handful of marketplaces (Xleet, Lufix, Odin, Xmina) meeting most cybercriminals’ needs.

Researchers report that the largest stores selling access to compromised email accounts are Xleet and Lufix, each offering more than 100,000 hacked accounts. Prices for these accounts range from $2 to $30, and can be even higher for particularly “interesting” organizations.

How Accounts Are Stolen and Used

Typically, accounts are stolen through brute-force attacks or credential stuffing, which involves using login details previously stolen via phishing or purchased from other cybercriminals. Hackers use access to corporate email inboxes for targeted attacks, including spear phishing, social engineering (to gain deeper access to networks), and BEC (Business Email Compromise) attacks.

KELA’s report states that the sale of corporate email access on the black market has remained a stable “sector” for several years, with “combo lists” of email logins being sold on all major hacker forums. For example, the Everest ransomware group recently offered access to the email accounts of an aerospace manufacturing company for $15,000.

Automated Marketplaces and Seller Anonymity

However, such sales often involve tedious negotiations with sellers, carry certain risks, and the validity of the data is frequently in question. This has led to the rise of automated stores like Xleet, Odin, Xmina, and Lufix, which allow hackers to purchase access to email accounts of their choice directly.

On these platforms, sellers do not use nicknames but are instead masked by numbers assigned by the system. For instance, Odin provides detailed seller information, including the number of items sold, total sales volume, and average user rating.

Verification and Account Types

“Many of these stores offer advanced features, including ‘proof’ that access to the webmail account actually works. This proof may include real-time email verification or a screenshot of the inbox of the compromised account,” experts explain.

Odin and Xleet also specify how access to the email accounts was obtained: hacked, cracked, logs (from log files), or created (from scratch). The vast majority (98%) of accounts on Xleet fall into the hacked and cracked categories.

The most popular accounts on these platforms are Office 365 accounts, which make up nearly half of all webmail listings, followed by hosting providers such as cPanel, GoDaddy, and Ionos.