Buying and Selling Documents on the Darknet

The darknet has long been the go-to place for selling any stolen data, which is later used for various illegal activities (such as fraud) or to help people maintain anonymity. The darknet first drew major attention in 2013 with the launch of the infamous Silk Road. However, it’s worth noting that Silk Road did not allow the sale of stolen credit card data, document scans, or similar information, even though these are some of the most in-demand items on the darknet.

Stolen data is often found on marketplaces like Dream Market or Wall Street Market. Commonly traded items include passport scans, social security numbers, driver’s licenses, credit or debit card information—basically, anything that can be gathered from someone’s email or social media messages. Typically, 90% of data owners have no idea their information has been compromised.

Accessing the darknet is surprisingly easy—just download the Tor browser and start it up. As with online drug markets, selling such goods through the dark web makes it much harder for law enforcement to track down criminals, since sellers use advanced encryption, onion routing, and are generally tech-savvy (though not always).

Take carding, for example. This branch of cybercrime has grown so much in recent years that buying stolen credit card data is now extremely easy. Companies like PayPal report hundreds of thousands of data theft incidents every year.

The Purchase Process and Multisignature Transactions

Sellers of documents and personal data operate 24/7 on many darknet markets and carding forums. According to research on the value of data sold on these underground platforms, a seller with a large database of credit card owners can sell a single card for $20–$40.

Here’s how the process usually works:

1. Need arises. Someone needs to steal personal data for further use, such as creating a verified Yandex.Money wallet to launder money.
2. Specifying the need. The buyer decides what kind of data is required: a driver’s license, a bank card, or something else. For a Yandex.Money wallet, for example, a passport scan plus a tax ID is ideal.
3. Finding a marketplace. The buyer chooses the most suitable market (based on reviews, price/quality ratio, and other criteria) and a seller on that market.
4. Making the purchase. The buyer purchases and confirms receipt of the data, with transactions often confirmed using multisignature (multisig) technology.

Registration on most markets or forums is required, but usually only a nickname, password, and captcha are needed. All payments are made in Bitcoin or Monero, so it’s best to have cryptocurrency ready in advance to avoid extra fees and delays.

Most darknet markets (like Wall Street Market) have features to protect both buyers and sellers from fraud and loss of funds. One such feature is the multisignature mechanism.

What Is Multisignature?

Multisignature (multisig) means that more than one key is required to confirm a Bitcoin transaction. It’s typically used to share responsibility for Bitcoin ownership. Standard Bitcoin transactions require only one signature (from the private key owner), but the network supports more complex transactions that require multiple signatures before funds can be transferred. These are often called M-of-N transactions, where several parties must cooperate to release the funds.

If any condition is not met or if either the buyer or seller is dissatisfied, the transaction can be instantly rejected. This system helps prevent fraud and ensures both parties are protected.

According to Dark Web News, Dream Market—one of the largest darknet markets—offers a wide range of personal data: fake national IDs, passports, driver’s licenses, various work IDs, bank cards, and more. To get a fake passport, all you need is the personal information you want included, such as a name, photo, and other identifying details. Once everything is set, the buyer must verify that the product meets their requirements before releasing the funds from escrow, which is temporarily held using the multisig mechanism.

When buying digital goods like credit card data (including CVV, fullz, and bank accounts), the multisig process can take longer, since the buyer needs to check the validity of the data, which can’t be done instantly. For example, to check a CVV, you’d need to try making a purchase or paying for a service online.

Consequences and Risks

Cybercriminals have found a loophole in the darknet to use stolen data and make significant profits. These days, no one wants to meet in person to discuss the details of a fake passport or ID. No one from the street will launder your dirty money for you—and if they offer, you should run the other way.

According to a Cifas report, there were about 174,523 cases of identity fraud in the UK alone in 2017—a new record for the country. In the US, around 371,000 cases of identity theft were recorded in 2017, which is actually an improvement over the previous year’s 399,200 cases.

One major challenge is that it’s nearly impossible to detect the use of most stolen card or ID data in fraud schemes until it becomes obvious—like when a victim calls their bank to block their card after noticing suspicious withdrawals.

Many online banking systems require phone code verification as part of two-factor authentication. This is the main reason criminals try to access these systems and quietly withdraw money from accounts. The demand for fake IDs similar to those of account holders is growing every year, as shown by PayPal’s statistics. In countries with high levels of online fraud, PayPal has had to shut down many services due to constant fraud issues.

Other criminals have developed new ways to use stolen IDs. For example, in the US, taking out online loans using someone else’s passport is still a common scam—and it’s on the rise. According to a 2017 Javelin report, online fraud was increasing that year, with potential losses estimated at around $16 million. The report also shows that in 2017, about 15–16 million victims had their personal data stolen, sold, and then used.

Recommendations

Researchers at Javelin have suggested some simple security measures to combat identity theft, which is a real threat in today’s society:

1. Enable two-factor authentication. This is obvious, but crucial. If criminals try to access your accounts and enter the wrong code, you’ll be notified. Multiple incorrect attempts will lock the account (especially in online banking).
2. Protect your phone. Criminals know that many transactions and data are stored on electronic devices like smartphones. Protect your mobile devices with screen locks, encrypt stored data, avoid public Wi-Fi, and set local access codes to make it much harder for criminals to access your information.
3. Freeze accounts and set transaction limits. Set your account to freeze after entering the wrong password (many banks offer this, but not all). For example, Sberbank locks the account for one hour by default. Financial advisors also recommend limiting online transactions for each credit card and using systems like Verified by Visa or MasterCard SecureCode.

These and other best practices can significantly reduce cases of identity theft and fraud, but that doesn’t mean you should let your guard down. Be cautious with websites that ask for your data. Use secure communication methods to share personal information, and if you’ve already sent something by email, at least delete it from your “sent” folder. Change your passwords regularly, don’t open suspicious files, and stay vigilant.