How your entire identity could be sold for £30 on the dark web
British “identity packs” containing an ID scan, selfie and personal data file can be bought by criminals on the dark web for as little as £30, new research has found.
As identity theft continues to rise, experts have discovered national identity documents, driving licenses, credit card details and UK “frequent traveler” passports being sold for £2,000.
The information can be used in a variety of ways and may be used to apply for a credit card, mortgage, car loan or open a bank account.
AMLTRIX, a group of anti-money laundering experts, analyzed 25 active dark web markets in early December last year, revealing the many ways in which Britons’ stolen data was being used.
Co-founder Gabrielius Erikas Bilkstys said: “A full ID package including ID scan and selfie is now cheap and accessible enough for criminals to buy in bulk, and if that isn’t enough, the dark web offers other, though more expensive, more reliable options.
“This reflects how often the same personal data is stolen and resold and how industrialized this market has become.”
Some of the highest value items were KYC verified UK business bank accounts, ranging from £900 to £2,000. Accounts at major banks such as NatWest and Barclays were at the upper end of this range, according to AMLTRIX.
A NatWest spokesperson said: “We take protecting our customers from financial crime extremely seriously, which is why we operate strong fraud and security systems and work with partners across the wider digital ecosystem.”
Barclays has been contacted for comment.
The research also found that hacked UK Amazon accounts were listed for an average price of £15, while logins for subscription services such as Netflix were around £10.
Counterfeit Bank of England notes were also sold, usually at around 25 to 35 percent of their face value. Some sellers claimed their notes had passed UV light checks and offered low-value sample orders as proof of quality.
While the data sold is legal in most cases, AMLTRIX also noted that there are many cases of fraud.
Once the data is online, the same identity can be used repeatedly to commit identity theft. Many times, the actual victim will be unaware of the situation until debt collectors or law enforcement become involved, AMLTRIX said.
Mr. Bilkstys said one of the key misconceptions for organizations is to view the dark web as a completely separate world. “Many organizations still think of the dark web as a distant, exotic threat.
“In reality, the daily phishing campaigns that compliance teams are currently dealing with are tightly linked to major data breaches, account takeovers and money laundering cases.”
UK fraud prevention service Cifas found that more than 118,000 cases of identity fraud were recorded between January and June last year.
David Wall, a cybercrime expert at the University of Leeds, said: “The problem exists on two levels. [Firstly]The data of the individual who may suffer financial loss is defrauded through account takeover or, more commonly, through a phone call pretending to be from the victim’s own bank. The other level accesses data at the enterprise level.”
According to the Department of Science, Innovation and Technology (DSIT), by 2024, 43 per cent of UK businesses reported experiencing a cybersecurity breach or attack.
Mr Wall said criminals would collect this data, process it into packages and sell it to other criminals. “Some datasets are scams where one group of fraudsters tries to defraud another, but others are real and provide initial access to organizations.
“This is very concerning because they have contributed to the larger cyberattacks, particularly ransomware attacks, that most Western countries have experienced in recent years.”
