Dark Web Data Pricing 2026: Cards, Identity, and Initial-Access Listings

The cost of a stolen identity, payment card, or corporate-network foothold tells you more about the cybercrime economy in 2026 than any breach count. Rapid7's 2025 Initial Access Brokers Report measured the average sale price for an IAB listing at US$2,700, with 71% of deals offering privileged access. Rapid7's H2 2025 update then measured the average base price of IAB offerings at US$113,275, an approximate 4055% jump driven by forum reshuffling after the BreachForums collapse, the XSS administrator arrest, and an audience migration into private Telegram channels and DarkForums. Chainalysis's 2026 Crypto Crime Report added the on-chain side of the same trade: initial access brokers received at least US$14 million in on-chain payments across 2025, against the US$820 million total ransomware on-chain payment year. The price tag on access went up because the supply chain restructured.

Three forces drove the 2025-2026 picture. Forum reshuffling. BreachForums collapsed in April 2025 (US DOJ filings cited 888+ datasets and 14B+ records), the XSS administrator was arrested in July 2025 by Europol, French, and Ukrainian authorities, and DarkForums grew 600% April to June 2025 (per DarkOwl's 2025 dark-web year-in-review). Tooling commoditization. Adversary-in-the-middle phishing kits like Tycoon 2FA priced at US$120 for 10 days or US$350 a month reached over 500,000 organizations per month at peak before the Microsoft + Europol takedown of 330 domains in March 2026. Underground market scale. Bitsight's State of the Underground 2025 tracked 2.9 billion unique compromised credentials in 2024, up from 2.2 billion in 2023, with data-breach posts on underground forums +43% YoY. The data is for CISOs setting fraud-prevention budgets, identity teams measuring exposure exposure, and journalists translating dark-web pricing into headline-ready stat lines.

This post is the Stingrai research team's canonical 2026 reference for dark web data pricing. It assembles 70+ numeric and price-tag claims from named primary publishers, including Rapid7, Chainalysis, Microsoft (Threat Intelligence + on the Issues), Trustwave SpiderLabs, Group-IB, Bitsight, Flashpoint, DarkOwl, Searchlight Cyber, ReliaQuest / Digital Shadows, ZeroFox, Mandiant (Google Cloud), Sekoia.io, Trend Micro, Treasury OFAC, FBI IC3, DOJ, Europol, Privacy Affairs (2023 historical anchor), Wipfli, Imperva, NETSCOUT, IBM X-Force, Recorded Future, SOCRadar, Flare, Barracuda, ScamSniffer, and TRM Labs. Lead pricing data is full-year 2024 and 2025 telemetry where the publisher has reported it; the Rapid7 H2 2025 update and the Chainalysis 2026 Crypto Crime Report (released February 2026, covering full-year 2025) are the freshest available; the Privacy Affairs Dark Web Price Index 2024 and 2025 editions were not published, so the post anchors its longer-term trend on Privacy Affairs's last published 2023 edition and labels every 2024-2025 figure with the publisher that observed it. Every figure carries its source, year, and methodology window so any claim can be audited inline. For the broader credential-theft economy that runs around these prices, including stealer-log volume, account-takeover, MFA-bypass, breach cost, and the Snowflake / UNC5537 case study, see Stingrai's complementary Compromised Credential Statistics 2026.

TL;DR: 12 labeled key prices

• IAB average sale price (Rapid7 2025, full-year 2024 data): US$2,700, with nearly 40% of offerings priced US$500 to US$1,000 (Rapid7 2025 IAB Report).

• IAB average base price (Rapid7 H2 2025 update): US$113,275, +4055% YoY against the US$2,726 base (Rapid7 H2 2025).

• IAB on-chain payments tracked in 2025 (Chainalysis 2026): at least US$14 million, against US$820 million total on-chain ransomware payments (Chainalysis 2026 + Chainalysis ransomware report).

• Stealer-log subscription, multi-family (2025): US$100 to US$200 per month for Lumma, RedLine, Vidar, Raccoon, StealC; StealC US$200 monthly or US$800 for six months; individual logs US$5 to US$50, average around US$10 per bot (Flare; SOCRadar).

• Tycoon 2FA AiTM kit, Telegram pricing pre-takedown: US$120 for 10 days or US$350 a month (Microsoft on the Issues, March 4, 2026; Barracuda).

• Mamba 2FA monthly + Sneaky 2FA monthly: US$250 (Mamba) and US$200 (Sneaky) on Telegram (Sekoia.io on Mamba 2FA; Sekoia.io on Sneaky 2FA).

• Drainer kit subscription range (2024-2025): US$300 to US$900, with affiliates keeping 80% of stolen assets and operators 20% (Bank Info Security; Group-IB).

• Inferno Drainer cumulative theft: approximately US$87 million from approximately 130,000 victims, plus 16,000+ unique malicious domains (The Hacker News on Group-IB; SiliconAngle on Group-IB).

• Hydra darknet market lifetime BTC volume (2015 to seizure): approximately US$5.2 billion in cryptocurrency, with 17 million customers and 19,000+ vendor accounts at the April 2022 Treasury OFAC + DOJ takedown (Treasury OFAC; Wikipedia summary of seizure).

• Genesis Market lifetime revenue (2018 to April 2023 seizure): approximately US$8.7 million, with bots fetching up to US$450 each, 1.5 million infected computers, and 80 million account credentials touched (TechCrunch on the FBI; CNBC; Treasury).

• Healthcare record dark-web price (2024-2025): US$250 to US$310 per record, roughly 10x a stolen credit card (Patient Protect; Trustwave SpiderLabs anchor).

• Underground credential supply (Bitsight 2024 dataset): 2.9 billion unique compromised credentials, up from 2.2 billion in 2023 (+32% YoY); dark-web breach posts +43% YoY (Bitsight).

Key takeaways

• The retail price of common stolen data has stayed cheap or fallen since 2020 because supply has scaled faster than demand. Privacy Affairs's last-published Dark Web Price Index 2023 put a credit card with a US$5,000 balance at US$120, where it had been close to US$240 in the 2020-2021 editions; Trustwave SpiderLabs's 2024 retail-sector synthesis measured fullz at US$20 to US$100 and cloned cards at US$50 to US$1,500. Single SSNs sit around US$1 to US$6 in 2025 marketplace listings. The economics shifted from "selling cards" to "selling access."

• The premium tier inverted that pattern in 2025. Rapid7 measured an approximate 4055% jump in average IAB base price from US$2,726 in 2024 to US$113,275 in H2 2025, with average target organizational revenue rising from US$2.232B to US$3.242B. Forum-by-forum the picture varied: DarkForums set the highest averages, RAMP averaged US$6,400 base price, Exploit base prices were six times higher than 2024, and BreachForums halved.

• AiTM phishing-as-a-service kits compressed the technical barrier to bypassing MFA into a credit-card transaction. Tycoon 2FA at US$120 for 10 days or US$350 a month, Mamba 2FA at US$250 a month, and Sneaky 2FA at US$200 a month meant attackers needed only Telegram, a credit card, and a hosting plan to harvest post-MFA session cookies. Microsoft attributed about 62% of the phishing attempts it blocked at peak to Tycoon 2FA, reaching over 500,000 organizations per month before the March 2026 Microsoft + Europol takedown of 330 domains.

• Wallet-drainer kits sold for less than a single corporate credential and netted operators eight figures. Drainer-kit subscriptions ran US$300 to US$900. Inferno Drainer extracted approximately US$87 million from 130,000 victims before its November 2023 wind-down; Group-IB found 16,000 malicious domains tied to the operation before Check Point Research documented its 2025 return. Pink Drainer netted approximately US$85 million from over 21,000 victims before retiring in May 2024.

• Marketplace seizures concentrated activity, not supply. Treasury OFAC's April 2022 Hydra sanction took US$5.2B in cumulative BTC offline; Operation Cookie Monster in April 2023 produced 119 arrests on Genesis Market; BreachForums collapsed across multiple 2024-2025 sequences with US DOJ filings citing 888+ datasets and 14B+ records; XSS lost its administrator in July 2025; the Tycoon 2FA disruption in March 2026 seized 330 domains. After every shutdown, listings reappeared on DarkForums or moved to private Telegram channels within weeks; pricing reshuffled forum by forum, but the volume held.

Methodology

Sources used: Rapid7 Initial Access Brokers Report 2025 (August 2025) and H2 2025 update (March 2026); Chainalysis 2026 Crypto Crime Report (February 2026, FY 2025 data) and the report's ransomware section; Microsoft on the Issues + Microsoft Security Blog disclosures on Tycoon 2FA (March 4, 2026), Lumma Stealer (May 21, 2025), and the Microsoft Digital Defense Report 2025 PhaaS pricing summary; Barracuda Networks threat spotlight on Tycoon 2FA (April 16, 2026); Sekoia.io blog posts on Mamba 2FA and Sneaky 2FA (2024-2025); Trustwave SpiderLabs "How Prices are Set on the Dark Web" (2024 retail-sector synthesis) and 2024 Trustwave Risk Radar Report on retail and healthcare; Group-IB blog and Group-IB Knowledge Hub on Inferno Drainer; Check Point Research on Inferno Drainer reloaded (2025); ScamSniffer and TRM Labs on wallet drainers and 2024-2025 crypto theft; Bitsight State of the Underground 2025 and Bitsight Identity Intelligence press releases (2024-2025); Bitsight Trace dark-web monitoring data; Flashpoint 2025 Global Threat Intelligence Report and 2025 mid-year update; DarkOwl's 2025 dark-web year-in-review and Q1 2026 product update; Searchlight Cyber's H2 2025 ransomware report; ReliaQuest / Digital Shadows historical observations on data-leak forums; ZeroFox flash reports on forum disruption; Mandiant M-Trends 2025 and Google Cloud blog on UNC5537 (cited only for context); Trend Micro on the Tycoon 2FA coalition; Treasury OFAC press releases JY0701 (Hydra) and JY1388 (Genesis Market); FBI press release on Genesis Market and the FBI Internet Crime Complaint Center 2024 Internet Crime Report; DOJ press release on the BreachForums founder resentencing; Europol coordinated takedown notices (Lumma May 2025, Tycoon 2FA March 2026); Privacy Affairs Dark Web Price Index 2020 to 2023 (no 2024 or 2025 edition published); Wipfli Dark Web Price Index synthesis 2024; SOCRadar (Top 10 Stealer Logs and "Fullz, Dumps, and More"); Flare (Stealer Logs glossary and 2025 Microsoft Digital Defense Report dissection); Barracuda on Fullz; Imperva on DDoS booters; NETSCOUT on DDoS-for-hire pricing; Kaspersky Securelist 2024 IAB analysis; Recorded Future Identity Threat Landscape Report (cited for cross-comparison); IBM X-Force Threat Intelligence Index 2025 + 2026; Patient Protect on healthcare-record pricing; Komando, Techlicious, BankInfoSecurity, and SiliconAngle as supporting aggregators that surface specific marketplace listings.

Date cutoff: April 25, 2026. Lead data is full-year 2024 or 2025 telemetry where a primary publisher has released it. The Rapid7 H2 2025 update and the Chainalysis 2026 Crypto Crime Report are the most-recent primary-publisher feeds; no full-year 2026 retrospective reports exist yet. The Privacy Affairs Dark Web Price Index has not had a 2024 or 2025 edition; carry-forward 2024-2025 estimates anchor on Trustwave SpiderLabs's 2024 retail-sector synthesis and on 2025 marketplace listings observed via the publishers above. Statistics that could not be reached on at least one verification pass against a named primary source were dropped rather than estimated. Vendor blogs, AI-generated summaries, and aggregator articles are cited only where they constitute the public record of a price tag the primary source has not republished in a structured way (e.g., a Telegram subscription tier).

Figure 1: Dark web price ranges by data class on a log scale, 2024 to 2026. Single SSN US$1 to US$6, stolen US payment card no CVV US$5 to US$10, standard US card with CVV US$10 to US$40, fullz package US$20 to US$100, drivers license scan US$30 to US$60, passport scan US$30 to US$60, card with US$5K balance US$100 to US$240, cloned card premium US$200 to US$1,500, healthcare record US$250 to US$310, verified Coinbase account US$107 to US$250, verified Kraken account US$1,100 to US$1,170. Sources: Trustwave SpiderLabs; Privacy Affairs 2023 anchor; Wipfli 2024 synthesis; SOCRadar fullz analysis; Barracuda on dead fullz; Patient Protect on healthcare records.

Per-data-class pricing in 2026

The retail catalog of stolen data still anchors most CISOs' mental model of dark-web economics. The catalog has not changed shape; the per-row prices have, and the publisher mix that prints those prices has reshuffled.

Payment cards: cheap, plentiful, region-priced

Trustwave SpiderLabs's 2024 retail-sector synthesis priced a payment card with fullz attached at US$8 to US$70 and cloned cards at US$50 to US$1,500, with the upper end set by the credit limit on the cloned card. 2025 marketplace observations (carried via Komando, SOCRadar, Wipfli) put a stolen US payment card with no CVV at around US$10 and a standard US card with CVV at US$10 to US$40. A high-balance card (US$5,000 limit) sold for US$120 in Privacy Affairs's 2023 edition and remained close to that level in 2025 listings tracked by aggregators.

The mid-tier US$10 to US$40 single-card price has not moved meaningfully since 2022, and the premium-tier US$120 high-balance card has eroded from a 2020-2021 peak around US$240. The structural reason: per-card supply has scaled faster than demand. Bitsight's State of the Underground 2025 tracked 2.9 billion unique compromised credentials in 2024, up from 2.2 billion in 2023; data-breach posts on underground forums grew 43% YoY. When supply outruns demand, retail prices flatten or fall.

Identity packages and forged documents

A "fullz" package, the dark-web shorthand for a complete identity bundle (name, address, SSN, date of birth, sometimes credit-card details), still occupies the middle of the retail price chart. SOCRadar's 2025 analysis put complete identity packages at US$20 to US$100, while Barracuda noted dead fullz (credentials tied to expired payment cards) at US$1 to US$3 each.

The single-SSN-around-US$1 figure has been consistent since Wipfli's 2024 synthesis. What changes year over year is the bundle premium: a US fullz with a high credit score and clean record can clear the US$100 ceiling, while basic PII (name plus email) trades at less than US$15, per Wipfli, "due to breach oversupply."

Crypto-exchange accounts

Crypto-exchange accounts are the highest-priced consumer financial data class on the dark web. Privacy Affairs's 2023 catalog priced a hacked Coinbase verified account at US$610, a hacked Kraken verified account at US$1,170, and a hacked Binance verified account at US$410. 2025-2026 marketplace listings showed Coinbase logins narrower, in the US$107 to US$250 range, depending on verification status, country, and balance.

The Coinbase price compression from a US$610 anchor to a US$107.50 floor in 2025-2026 reflects supply growth: account-takeover targets are now industrialized through stealer-log pipelines that the Compromised Credential Statistics 2026 post documents in detail. Kraken stayed expensive because verification friction remained higher.

Streaming, ride-share, and consumer accounts

Cheap consumer accounts are the long tail of dark-web retail. Privacy Affairs 2023 anchor and the SOCRadar 2025 carry-forward put Netflix accounts around US$25, Spotify Premium around US$10, and Uber accounts around US$15. The economics: most are sold for direct consumer fraud or as warm-up purchases by buyers establishing reputation on a forum, not for high-value follow-on attacks.

Healthcare records

Healthcare records command the longest-running premium in the dark-web catalog. Patient Protect's 2025 healthcare data-breach survey put per-record prices at US$260 to US$310, roughly 10 times a stolen credit card. Trustwave SpiderLabs's earlier benchmark priced healthcare records at approximately US$250 each. The value driver: medical records are immutable. A patient cannot change their medical history the way they can rotate a credit-card number.

Figure 2: Dark web payment-card and identity pricing trend, 2020 to 2025. The high-balance credit-card price held above US$240 in 2020-2021 and dropped to US$110 by 2022, where it has stayed. Single US-card-with-CVV mid-pricing varied US$15 to US$35 across the window. Fullz package mid-pricing crept from US$30 to US$70 and settled near US$60 in 2025. Sources: Privacy Affairs Dark Web Price Index 2020 to 2023; Trustwave SpiderLabs 2024; Komando aggregator; SOCRadar fullz analysis.

The Initial Access Broker market in 2025-2026

Initial access brokers are the wholesale tier of the dark web. They sell pre-built footholds inside corporate networks (RDP, VPN, Citrix, web shells, Active Directory admin) to ransomware affiliates and data-extortion crews who do the second-stage work. The IAB market reorganized dramatically in 2025.

Rapid7's two snapshots: US$2,700 to US$113,275

Rapid7's 2025 Initial Access Brokers Report, released August 2025 and tracking 2024 listings, found:

The Rapid7 H2 2025 update painted a different picture:

Forum-by-forum reshuffling

The same H2 2025 update broke out per-forum averages. The forum migration story is the single biggest pricing shift of the year:

Per-forum averages diverged because each forum was selling a different size of target. DarkForums attracted the post-BreachForums premium audience. RAMP, the long-running closed Russian-language ransomware forum, kept its "vouched threat actors only" door policy. BreachForums itself was repeatedly seized, forked, and re-seized through 2024-2025; what remained traded down.

Kaspersky Securelist 2024 baseline

Kaspersky Securelist's 2024 IAB analysis provides a complementary baseline:

The Kaspersky 2024 baseline and the Rapid7 2025 baseline agree on the typical-listing band (low thousands). They diverge on the H2 2025 trajectory because each was sampling different forum mixes; Rapid7's H2 2025 sample skewed toward DarkForums and RAMP after the migration, where premium listings had concentrated.

Chainalysis on the on-chain side

Chainalysis's 2026 Crypto Crime Report, released February 2026 and covering full-year 2025, tracked the on-chain settlement layer of the IAB market:

The IAB-to-ransomware ratio is signal: less than 2 cents on the dollar of total ransomware on-chain payments flowed back to the access brokers. The wholesale tier monetizes through a tiny fraction of the downstream attack revenue, which is why pricing has migrated upward as the affiliate market's downstream revenue per breach grew.

Figure 3: Dark web access economy pricing tiers from US$5 single stealer logs to US$113,275 H2 2025 IAB average. Single logs are commodity. PhaaS kits and stealer-log subscriptions are the rented-tooling tier. IAB and corporate VPN are the premium tier. Rapid7 measured an approximate 4055% jump in average base price from 2024 to H2 2025. Sources: Flare; SOCRadar; Microsoft on the Issues; Barracuda; Sekoia.io; Group-IB; Rapid7 H2 2025; Kaspersky Securelist 2024.

Stealer-log retail and subscription pricing

Infostealer logs are the raw material of the credential economy. Each log contains every browser-saved password, session cookie, MFA token, crypto-wallet artifact, and OAuth refresh token from a victim machine. Pricing has stayed remarkably stable through 2024-2025 because supply scaled in lockstep with demand.

Subscription tiers

Flare's 2025 stealer-log reference priced infostealer subscriptions at US$100 to US$200 per month for the most-deployed families: Lumma, RedLine, Vidar, Raccoon, and StealC. SOCRadar's 2025 catalog added per-family pricing detail: StealC at US$200 monthly or US$800 for six months. After the May 2025 Lumma takedown displaced volume, Recorded Future's 2025 ITLR tracked Vidar, StealC, and Rhadamanthys absorbing the activity.

Per-log retail

Individual stealer logs (one per infected machine) sold for US$5 to US$50 each in 2025, averaging around US$10 per bot in dark-web shops, per Flare. The same source noted that fresh logs (under 48 hours old) command multiples of those prices because the session tokens have not yet expired. Cybernews's reporting on infostealer-affected US military and defense systems priced individual military-credential logs from US$10 per machine, confirming that even high-sensitivity logs sell at the commodity-tier price floor.

IBM X-Force's 2025 Threat Intelligence Index tracked dark-web infostealer ad volume up 12% YoY in 2024, with Lumma the number-one infostealer listing, followed by RisePro, Vidar, Stealc, and RedLine. IBM's 2026 Threat Intelligence Index added the new entrant of 2025: more than 300,000 ChatGPT credential sets advertised on dark-web markets, harvested by commodity malware including Raccoon and Vidar.

AiTM phishing-as-a-service kits: US$120 to US$350

Adversary-in-the-middle kits compressed the technical barrier to bypassing MFA into a credit-card transaction. The pricing tier sits between commodity stealer logs and IAB listings.

Tycoon 2FA, Mamba 2FA, Sneaky 2FA

Microsoft's March 4, 2026 disruption announcement and Barracuda's threat spotlight surfaced the most complete pricing snapshot of the AiTM PhaaS market:

Tycoon 2FA scale and the March 2026 takedown

Microsoft on the Issues, March 4, 2026 measured Tycoon 2FA's reach pre-disruption:

The takedown was the first coordinated action under Europol's Cyber Intelligence Extension Programme (CIEP). Within weeks, Tycoon 2FA infrastructure resurfaced through other operators; Mamba 2FA and Sneaky 2FA absorbed the displaced demand at the same price points. The price floor on AiTM PhaaS held.

Figure 4: AiTM phishing-as-a-service kit pricing on Telegram, 2025. Tycoon 2FA, Mamba 2FA, and Sneaky 2FA cluster around US$120 to US$350 per month. Tycoon 2FA was disrupted in March 2026; Mamba and Sneaky absorbed the displaced demand within weeks. Sources: Microsoft on the Issues, March 4, 2026; Barracuda Networks threat spotlight, April 16, 2026; Sekoia.io on Mamba 2FA; Sekoia.io on Sneaky 2FA.

Wallet-drainer kits: scam-as-a-service for crypto

Crypto wallet drainers occupy a parallel pricing tier. A drainer is a phishing-page-plus-JavaScript kit that, when a victim signs a transaction, drains the wallet's NFTs and tokens to the operator. The retail price is low; the gross proceeds per operator can run into eight figures.

Pricing and revenue split

Inferno Drainer scale

Group-IB's reporting on Inferno Drainer, reproduced in The Hacker News and SiliconAngle, put the cumulative numbers at:

Pink Drainer and the broader market

Pink Drainer announced its retirement in May 2024 after netting approximately US$85 million from over 21,000 victims. TRM Labs's 2025 Crypto Crime Report priced 2024 crypto fraud at approximately US$11 billion in scope; TRM measured H1 2025 crypto theft at approximately US$2.1 billion, more than the total stolen in 2024. Drainers were a meaningful share of the wallet-direct attack volume but not the majority; private-key compromises and front-end exploits still dominated the dollar-loss totals.

DDoS-for-hire (booter / stresser) pricing

The booter / stresser market is the small tail of the dark-web price chart, but it is well-documented because pricing tiers are public on Telegram and clearnet aggregator sites. Imperva's reference put an average one-hour-per-month DDoS package at around US$38, ranging from US$19.99 at the low end. NETSCOUT's 2024-2025 examples priced Nightmare Stresser at EUR 25 to EUR 19,999, Stressthem at US$30 monthly to US$18,000 quarterly, and Krypton Networks from US$15 for a seven-day subscription up to US$1,000 for a 16-day premium.

The pricing has stayed flat since the early 2020s. Concurrent-attack count and per-hour duration drive the upper tier; AI-enhanced tooling is the new growth segment.

Marketplace seizures and the 2025 reshuffling

The dark-web pricing chart that this post documents is the residue of seven significant law-enforcement actions across 2022 to 2026. Each one removed a venue but redirected demand into the next.

Figure 5: Major dark-web marketplace and tooling seizures, 2022 to 2026. The Hydra seizure in April 2022, BreachForums v1 (Pompompurin) in March 2023, Genesis Market in April 2023, BreachForums v3 collapse in April 2025, Lumma Stealer takedown in May 2025, XSS administrator arrest in July 2025, and the Tycoon 2FA disruption in March 2026 each reorganized listings without ending supply. Sources: Treasury OFAC and Treasury on Genesis Market; DOJ on BreachForums; DarkOwl 2025 dark-web year-in-review; Microsoft + Europol.

Hydra (April 2022)

Treasury OFAC press release JY0701 and the German Federal Criminal Police seizure announcement put the lifetime numbers on Hydra at approximately US$5.2 billion in cryptocurrency moved through the platform since 2015, 17 million customers, and 19,000+ vendor accounts at the time of seizure. The German operation seized US$25 million in BTC. Hydra accounted for an estimated 80% of all darknet-market-related cryptocurrency transactions in 2021.

Genesis Market (April 2023, "Operation Cookie Monster")

The FBI-led April 5, 2023 seizure of Genesis Market spanned 17 countries and 119 arrests. TechCrunch's coverage of the FBI announcement and the DOJ + Treasury statements priced Genesis activity at US$8.7 million in revenue, 1.5 million infected computers, and login credentials associated with more than 80 million accounts. By March 2023, the marketplace listed over 450,000 active "bots" (the marketplace's term for a packaged identity bundle with cookies and credentials), with high-value bots fetching up to US$450 each. Operation Cookie Monster was code-named for the cookie-stealing nature of Genesis bots.

BreachForums (multiple sequences, 2023 to 2025)

BreachForums was repeatedly seized and reborn:

The BreachForums collapse in April 2025 is the proximate cause of the IAB-pricing reshuffle Rapid7 measured in H2 2025. Premium audiences moved to DarkForums; operationally sensitive activity moved to private Telegram channels; commodity listings shifted to copycat platforms.

XSS administrator arrest (July 2025)

XSS, the long-standing Russian-language forum for exploits, access, and ransomware affiliates, lost its administrator in July 2025 when Europol, French authorities, and Ukrainian law enforcement coordinated arrests. The forum had been one of the two highest-reputation venues for IAB activity (alongside Exploit). Listings did not disappear; they redistributed.

DarkForums absorption

DarkOwl tracked DarkForums's growth: a 600% membership jump April to June 2025, reaching over 12,700 members by early 2026. The forum's feature set mirrors BreachForums (leaked databases, stealer logs, combo lists, malware tools, cracked accounts, tiered membership). DarkForums became a tier-1 monitoring target for organizational data exposure; this is the venue that drove the upper end of Rapid7's H2 2025 IAB-pricing distribution.

Tycoon 2FA (March 2026)

The most-recent action: Microsoft, Europol, and partners disrupted Tycoon 2FA on March 4, 2026, seizing 330 active domains and filing a US$10 million civil injunction against alleged operator Saad Fridi. Within weeks, researchers reported Tycoon 2FA-style infrastructure back at pre-disruption levels under different branding. The price floor on AiTM PhaaS held.

Underground market scale: Bitsight, Flashpoint, Searchlight Cyber

Three primary publishers tracked the macro scale of the 2025 underground market.

Bitsight's State of the Underground 2025 measured:

Flashpoint's 2025 Global Threat Intelligence Report and mid-year 2025 update added:

Searchlight Cyber's H2 2025 ransomware report tracked:

The convergent picture: the dark-web supply curve grew faster than the demand curve at the commodity tier, which is why per-card and per-credential prices stayed cheap, while the premium-access tier consolidated onto fewer venues with stricter membership rules and higher absolute price tags.

What this means for defenders

Five practical implications for security buyers and incident-response teams in 2026:

• Treat dark-web pricing as a supply-and-demand signal, not as a purchase reference. When fullz prices crept from US$30 in 2020 to US$70 in 2024, it meant identity-theft bundles were getting more complete (more documents per record); it did not mean adversaries were paying more per breach. Conversely, when single-card pricing held at US$10 to US$40, it meant supply growth had outpaced fraud-detection improvements.

• Pay attention to which forum a price comes from. A "US$2,000" IAB listing on BreachForums in 2024 was not the same product as a "US$2,000" listing on RAMP in 2024; vetting, target organization size, and access depth differ. Stingrai's PTaaS and adversary simulation practices treat per-forum pricing data as one input into engagement scoping, not as a single market clearing price.

• Monitor the dark web as a leading indicator, not just a forensic record. Bitsight's Identity Intelligence service tracks 1 billion credentials weekly across 1,000+ underground forums and markets; DarkOwl monitors over 1,000 dark-web sources; Searchlight Cyber, ReliaQuest, ZeroFox, Flare, SOCRadar, and Recorded Future operate similar pipelines. Subscribe to whichever surface fits your data-classification window; the lead time between log-on-victim-machine and first dark-web listing has shrunk to 48 hours or less in current measurement.

• Cost out an AiTM-bypass test. The Tycoon 2FA, Mamba 2FA, and Sneaky 2FA price points (US$120 to US$350 per month) put adversary-in-the-middle session-cookie theft in reach of any motivated buyer. Stingrai includes AiTM credential and session-cookie testing against production identity flows in the standard PTaaS engagement, simulating exactly the techniques the primary-source telemetry above documents.

• Treat marketplace seizures as moments, not solutions. Genesis Market in 2023, Hydra in 2022, BreachForums repeatedly in 2024-2025, XSS in 2025, Tycoon 2FA in 2026: every seizure took out a venue and reorganized the same supply onto the next. Build an offensive program assuming the supply side will reconfigure within weeks; the price floor on access has not collapsed in any post-seizure window we tracked.

Frequently Asked Questions

How much does stolen data cost on the dark web in 2026?

Stolen data prices in 2026 span a wide range by data class. Single SSNs sell for US$1 to US$6, stolen US payment cards without CVV go for US$5 to US$10, standard US cards with CVV sell for US$10 to US$40, and a fullz package (full identity bundle) goes for US$20 to US$100. Verified Coinbase accounts list at US$107 to US$250, healthcare records at US$250 to US$310, and verified Kraken accounts at US$1,100 to US$1,170. The premium tier is corporate-network access: Rapid7's H2 2025 Initial Access Brokers Report measured an average IAB base price of US$113,275, up from a US$2,726 average in 2024.

What is the average price for an Initial Access Broker listing in 2026?

Rapid7's 2025 IAB Report, tracking full-year 2024 listings, measured the average sale price at just over US$2,700, with nearly 40% of offerings priced US$500 to US$1,000 and 71% offering privileged access. The Rapid7 H2 2025 update measured the average base price at US$113,275 (an approximate 4055% YoY jump) driven by forum migration toward DarkForums and RAMP after the BreachForums collapse. Kaspersky Securelist's 2024 baseline put most listings in the US$500 to US$2,000 band, with high-value listings exceeding US$10,000.

How much does a stealer-log subscription cost on the dark web?

Flare's 2025 stealer-log reference priced infostealer subscriptions at US$100 to US$200 per month for Lumma, RedLine, Vidar, Raccoon, and StealC. SOCRadar's 2025 catalog added that StealC is sold at US$200 monthly or US$800 for six months. Individual stealer logs (one per infected machine) sell for US$5 to US$50 retail, averaging around US$10 per bot, with fresh logs (under 48 hours old) commanding multiples of those prices.

How much does a Tycoon 2FA AiTM phishing kit cost?

Tycoon 2FA was priced at US$120 for a 10-day starter and US$350 for a 1-month admin panel on Telegram before its March 4, 2026 disruption by Microsoft, Europol, and a private-sector coalition. The kit reached over 500,000 organizations per month at peak and accounted for approximately 62% of phishing attempts Microsoft blocked. After disruption, Mamba 2FA at US$250 per month and Sneaky 2FA at US$200 per month absorbed displaced demand.

How much does a wallet-drainer kit cost?

Wallet-drainer kit subscriptions ran US$300 to US$900 in 2024-2025. Inferno Drainer's affiliates kept 80% of stolen assets while the operators took 20%, with the operation extracting approximately US$87 million from 130,000 victims and using over 16,000 unique malicious domains before its November 2023 wind-down. Pink Drainer netted approximately US$85 million from over 21,000 victims before retiring in May 2024. Inferno Drainer returned in 2025, per Check Point Research.

How much do healthcare records cost on the dark web?

Healthcare records sold for US$250 to US$310 per record in 2024-2025, roughly 10 times the price of a stolen credit card. Trustwave SpiderLabs's earlier benchmark priced healthcare records at approximately US$250 each. The valuation premium reflects record immutability: a patient cannot rotate medical history the way they can rotate a credit-card number.

Why has Privacy Affairs not published a Dark Web Price Index in 2024 or 2025?

Privacy Affairs's last Dark Web Price Index edition is the 2023 catalog. No 2024 or 2025 edition has appeared on the publisher's site as of April 25, 2026. Aggregator sites that use the "Dark Web Price Index 2025" label generally re-cite the 2023 dataset alongside 2024-2025 spot observations. For 2024-2025 carry-forward pricing, this post anchors instead on Trustwave SpiderLabs's 2024 retail-sector synthesis, Wipfli's 2024 synthesis, and 2025-2026 marketplace observations attributed to specific monitoring vendors.

Have credit card prices on the dark web fallen since 2020?

Yes. Privacy Affairs's 2020 and 2021 editions priced a credit card with a US$5,000 balance at approximately US$240; the 2023 edition put it at US$120, and 2025 marketplace observations have it close to US$110. Single US-card-with-CVV mid-pricing has stayed flat in the US$15 to US$35 range. The structural reason is supply: Bitsight tracked 2.9 billion unique compromised credentials in 2024, up from 2.2 billion in 2023, and Flashpoint measured 16.8 billion records compromised through 2024. When supply outruns demand, retail prices flatten or fall.

What was the impact of the BreachForums collapse on dark-web pricing?

The April 2025 BreachForums collapse, combined with the July 2025 XSS administrator arrest, redistributed listings to DarkForums (which grew 600% April to June 2025 per DarkOwl) and to private Telegram channels. Rapid7's H2 2025 IAB report measured an approximate 4055% jump in average IAB base price (US$2,726 to US$113,275) through this period. Per-forum: DarkForums had the highest base prices by a very large margin; RAMP averaged US$6,400; Exploit's base prices were six times higher than 2024; BreachForums's surviving copycat listings were halved.

What was Genesis Market and how was it taken down?

Genesis Market sold packaged "bots" (bundles of stolen credentials, cookies, and browser fingerprints) from infected computers, with bots fetching up to US$450 each. On April 5, 2023, the FBI announced Operation Cookie Monster, an FBI-led action across 17 countries that resulted in approximately 119 arrests. DOJ + Treasury statements priced Genesis activity at US$8.7 million in revenue, 1.5 million infected computers, and login credentials touching more than 80 million accounts. By March 2023, the marketplace had over 450,000 active bots listed.

How big is the dark-web monitoring market?

Research and Markets's Dark Web Intelligence Market report valued the market at US$667.26 million in 2026, projected to reach US$1.19 billion by 2032 at a 10% CAGR. Among the named primary monitoring vendors and reports tracked in this post: Bitsight, Flashpoint, DarkOwl, Searchlight Cyber, ReliaQuest, ZeroFox, Flare, SOCRadar, Recorded Future, Trustwave SpiderLabs, and Group-IB.

Where can I get the latest dark web data pricing data?

Primary publishers tracked in this post: Rapid7 (Initial Access Brokers Report, annual + H2 update), Chainalysis (Crypto Crime Report, February), Microsoft (Threat Intelligence + on the Issues blog disclosures), Trustwave SpiderLabs (Risk Radar Reports + dark-web economics blog), Group-IB (drainer + IAB analyses), Bitsight (State of the Underground, annual), Flashpoint (Global Threat Intelligence Report, annual + mid-year), DarkOwl (year-in-review + Q1 product updates), Searchlight Cyber (ransomware reports, H1 + H2), Sekoia.io (PhaaS and AiTM kit analyses), and the FBI Internet Crime Complaint Center (Internet Crime Report, April). For the broader credential-theft economy that drives this pricing, see Stingrai's Compromised Credential Statistics 2026.

References

1. Rapid7. Compromise for Sale: Inside the Rapid7 2025 Access Brokers Report. August 2025. https://www.rapid7.com/blog/post/compromise-for-sale-inside-the-rapid7-2025-access-brokers-report/. Average sale price US$2,700, 71% privileged access, 40% of listings US$500 to US$1,000.

2. Rapid7. Initial Access Brokers have Shifted to High-Value Targets and Premium Pricing. March 2026 (H2 2025 update). https://www.rapid7.com/blog/post/tr-initial-access-broker-shift-high-value-targets-premium-pricing/. Average base price US$113,275, +4055% YoY; per-forum breakdown.

3. Chainalysis. 2026 Crypto Crime Report: Introduction. February 2026. https://www.chainalysis.com/blog/2026-crypto-crime-report-introduction/. US$154B illicit volume; US$14M to initial access brokers; US$820M ransomware on-chain.

4. Chainalysis. Crypto Ransomware: 2026 Crypto Crime Report. February 2026. https://www.chainalysis.com/blog/crypto-ransomware-2026/. Total on-chain ransomware payments fell ~8% to US$820M in 2025; median ransom payment +368% YoY to nearly US$60,000.

5. Microsoft on the Issues. Defending the gates: How a global coalition disrupted Tycoon 2FA. March 4, 2026. https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon/. 330 domains seized; 96,000 victims since 2023; 55,000+ Microsoft customers; US$10M civil injunction.

6. Barracuda Networks. Threat Spotlight: Tycoon 2FA didn't die, it's scattered everywhere. April 16, 2026. https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere. US$120 for 10 days, US$350 for a month admin panel; ~62% of phishing Microsoft blocked.

7. Sekoia.io. Mamba 2FA: A new contender in the AiTM phishing ecosystem. 2024-2025. https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/. US$250 for 30 days; Telegram-bot-driven phishing-link generation.

8. Sekoia.io. Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service. 2025. https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/. US$200 per month; subscription-driven Telegram operation.

9. Flare. Stealer Logs: Guide for Security Teams. 2025. https://flare.io/glossary/stealer-logs. Lumma / RedLine / Vidar / Raccoon / StealC US$100 to US$200 per month; per-log retail US$5 to US$50.

10. SOCRadar. Top 10 Stealer Logs. 2025. https://socradar.io/blog/top-10-stealer-logs/. StealC US$200 monthly or US$800 six-month tier; per-family pricing.

11. SOCRadar. Fullz, Dumps, and More: What are Hackers Selling on the Black Market? 2025. https://socradar.io/blog/fullz-dumps-and-more-what-are-hackers-selling-on-the-black-market/. Standard fullz US$20 to US$100.

12. Trustwave SpiderLabs. How Prices are Set on the Dark Web: Exploring the Economics of Cybercrime. 2024. https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/how-prices-are-set-on-the-dark-web-exploring-the-economics-of-cybercrime/. Card with fullz US$8 to US$70; cloned cards US$50 to US$1,500; healthcare ~US$250.

13. Privacy Affairs. Dark Web Price Index 2023. April 2023. https://www.privacyaffairs.com/dark-web-price-index-2023/. Last published edition; cards US$17 to US$120 range, fullz US$20 to US$100, SSN US$1.

14. Wipfli. View the latest dark web price index. 2024. https://www.wipfli.com/insights/articles/dark-web-price-index. Basic PII < US$15 due to oversupply; bank/crypto access US$1,000+.

15. Group-IB. Inferno Drainer Scam: Crypto Wallet Draining Malware Explained. 2024. https://www.group-ib.com/blog/inferno-drainer/. 80/20 affiliate-operator split; phishing-site add-on free or 30% cut.

16. The Hacker News. Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims. January 2024. https://thehackernews.com/2024/01/inferno-malware-masqueraded-as-coinbase.html. Cumulative theft and victim count.

17. SiliconAngle. Group-IB uncovers 16,000 malicious domains used in Inferno Drainer crypto scam. January 2024. https://siliconangle.com/2024/01/16/group-ib-uncovers-16000-malicious-domains-used-inferno-drainer-crypto-scam/. Domain footprint of the operation.

18. Check Point Research. Return of the Crypto Inferno Drainer. 2025. https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/. 2025 return after operator 2023 shutdown.

19. Bank Info Security. Crypto-Seeking Drainer Scam-as-a-Service Operations Thrive. 2024. https://www.bankinfosecurity.com/crypto-seeking-drainer-scam-as-a-service-operations-thrive-a-24107. Drainer kit subscription range US$300 to US$900.

20. Bitsight. New Bitsight Analysis Reveals 43% Increase in Breach Data Shared on Underground Forums in 2024. 2025. https://www.bitsight.com/press-releases/new-bitsight-analysis-reveals-43-increase-breach-data-shared-underground-forums-2024. 2.9B compromised credentials, +43% breach posts, +24% leaked credentials.

21. Bitsight. Bitsight Unveils Identity Intelligence Solution. April 2025. https://www.bitsight.com/press-releases/bitsight-unveils-identity-intelligence-solution-detect-and-stop-credential-based. 1B credentials weekly; 1,000+ underground forums and markets monitored.

22. Flashpoint. Flashpoint 2025 Global Threat Intelligence Report. March 2025. https://flashpoint.io/resources/report/flashpoint-2025-global-threat-intelligence-gtir/. 16.8B records, +33% credential theft YoY, 5,742 ransomware attacks 2024.

23. Flashpoint. Navigating 2025's Midyear Threats: Insights from Flashpoint's Intelligence Index. August 2025. https://flashpoint.io/blog/flashpoint-2025-global-threat-intelligence-index-midyear/. Mid-year ransomware +179%, infostealer use +800%, 1.8B credentials.

24. DarkOwl. 2025 - A Year of Constant Upheaval on the Dark Web. Late 2025/early 2026. https://www.darkowl.com/blog-content/2025-a-year-of-constant-upheaval-on-the-dark-web-darkowl/. BreachForums + XSS disruption; DarkForums 600% growth April-June 2025.

25. Searchlight Cyber. Ransomware Groups Claimed Record Number of Victims in 2025 with 30% Annual Increase. 2025. https://slcyber.io/press/ransomware-report-h2-2025/. 7,458 victims across leak sites; Qilin +420% YoY.

26. Treasury OFAC. Treasury Sanctions Russia-Based Hydra, World's Largest Darknet Market. Press release JY0701, April 5, 2022. https://home.treasury.gov/news/press-releases/jy0701. US$5.2B BTC since 2015; 17M customers; 80% of darknet crypto txn share.

27. Treasury OFAC. Treasury Sanctions Illicit Marketplace Genesis Market. Press release JY1388, April 5, 2023. https://home.treasury.gov/news/press-releases/jy1388. 1.5M infected computers; 80M account credentials.

28. TechCrunch. FBI seizes Genesis Market, a notorious hacker marketplace for stolen logins. April 5, 2023. https://techcrunch.com/2023/04/05/fbi-genesis-market-seized-stolen-logins/. US$8.7M Genesis revenue.

29. CNBC. World's biggest darknet marketplace, Russia-linked Hydra Market, seized and shut down, DOJ says. April 5, 2022. https://www.cnbc.com/2022/04/05/darknet-hydra-market-site-seized-and-shut-down-doj-says.html. US$25M BTC seized; 19,000+ Hydra vendor accounts.

30. KrebsOnSecurity. FBI Seizes Bot Shop 'Genesis Market' Amid Arrests Targeting Operators-Suppliers. April 2023. https://krebsonsecurity.com/2023/04/fbi-seizes-bot-shop-genesis-market-amid-arrests-targeting-operators-suppliers/. Operation Cookie Monster context.

31. DOJ. Founder of One of World's Largest Hacker Forums Resentenced to Three Years in Prison. September 2025. https://www.justice.gov/opa/pr/founder-one-worlds-largest-hacker-forums-resentenced-three-years-prison. Conor Fitzpatrick (Pompompurin).

32. DarkOwl. BreachForums Disruption Sparks Copycat Domains and Darknet Chaos. April-May 2025. https://www.darkowl.com/blog-content/breachforums-disruption-sparks-copycat-domains-and-darknet-chaos/. April 28, 2025 admin announcement.

33. Kaspersky Securelist. Analysis of dark web posts selling access to corporate networks. 2024. https://securelist.com/initial-access-data-price-on-the-dark-web/106740/. Most listings US$500 to US$2,000; 27% targeting US$1B+ revenue orgs.

34. IBM. 2026 X-Force Threat Intelligence Index: Securing Identities, AI Detection Risk Management. February 2026. https://www.ibm.com/think/x-force/threat-intelligence-index-2026-securing-identities-ai-detection-risk-management. 300,000+ ChatGPT credentials advertised.

35. Tripwire. Key Takeaways from the IBM X-Force 2025 Threat Intelligence Index. April 2025. https://www.tripwire.com/state-of-security/key-takeaways-ibm-x-force-threat-intelligence-index. Dark-web infostealer ads +12% YoY 2024; Lumma top.

36. Recorded Future. 2025 Identity Threat Landscape Report (March 2026). March 2026. https://www.recordedfuture.com/blog/identity-trend-report-march-blog. Cited for cross-comparison only; 1.95B combo-list credentials indexed in 2025.

37. Patient Protect. Healthcare Data Breach Statistics 2025: Why Medical Records Are Worth 10x Credit Cards. 2025. https://patient-protect.com/post/healthcare-data-breach-statistics-2025-why-medical-records-are-worth-10-more-than-credit-cards. US$260 to US$310 per record.

38. Cybernews. Infostealer malware detected within US military and defense companies. 2024. https://cybernews.com/security/infostealers-detected-within-us-military-and-defense-companies/. Independent reporting that priced individual military-credential logs from US$10 per machine, supporting the commodity-tier per-log floor.

39. NETSCOUT. DDoS-for-Hire and the Evolving Use of AI. 2024-2025. https://www.netscout.com/blog/asert/ddos-hire-and-evolving-use-ai. Booter / stresser pricing tiers.

40. Imperva. DDoS for Hire | Booter, Stresser and DDoSer. 2024. https://www.imperva.com/learn/ddos/booters-stressers-ddosers/. Average 1-hour package ~US$38.

41. The Hacker News. Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks. March 2026. https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html. Independent confirmation of takedown scope.

42. Komando. The dark web price list: What criminals pay for your personal data. 2025. https://www.komando.com/news/security/the-dark-web-price-list-what-criminals-pay-for-your-personal-data/. Aggregator quoting 2025 marketplace observations.

43. Barracuda Networks. Fullz for sale: What it means for your security posture. March 27, 2025. https://blog.barracuda.com/2025/03/27/fullz-for-sale-what-it-means-for-your-security-posture. Dead fullz US$1 to US$3 each.

44. TRM Labs. 2025 Crypto Crime Report. February 2025. https://www.trmlabs.com/reports-and-whitepapers/2025-crypto-crime-report. US$10.7B fraud in 2024; broader crypto-fraud context.

45. The Block (TRM-cited). Front-end and private key exploits drove over $2 billion in crypto thefts during H1 2025. 2025. https://www.theblock.co/post/360084/front-end-and-private-key-exploits-drove-over-2-billion-in-crypto-thefts-during-h1-2025-report. H1 2025 crypto-theft total US$2.1B.

46. Coinmonks (Pink Drainer summary). Pink Drainer Out, Inferno Drainer Back. 2024. https://medium.com/coinmonks/pink-drainer-out-inferno-drainer-back-new-shift-in-the-crypto-wallet-drainer-industry-6915c270bb68. Pink Drainer US$85M cumulative across 21,000+ victims.

47. FBI Internet Crime Complaint Center. 2024 Internet Crime Report. April 2025. https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf. US$16.6B total reported losses; 859,532 complaints; +33% YoY.

48. Research and Markets. Dark Web Intelligence Market Size, Share & Forecast to 2032. 2026. https://www.researchandmarkets.com/report/dark-web-intelligence. US$667.26M 2026 → US$1.19B 2032 at 10% CAGR.

49. Allure Security. The Tycoon 2FA Takedown and the Limits of Infrastructure Disruption. April 2026. https://alluresecurity.com/blog/tycoon-2fa-takedown-infrastructure-limits/. Post-disruption resurgence note.

50. Europol. Global phishing-as-a-service platform taken down in coordinated public-private action. March 4, 2026. https://www.europol.europa.eu/media-press/newsroom/news/global-phishing-service-platform-taken-down-in-coordinated-public-private-action. CIEP Tycoon 2FA action.

For organizations measuring their identity-attack surface against the dark-web pricing tiers documented here, Stingrai's PTaaS and adversary simulation practices include AiTM credential-and-session-cookie testing against production identity flows, IAB-style initial-access scenario emulation, and stealer-log exposure simulation. The Stingrai team carries OSCE3, OSCP, OSWE, OSED, OSEP, CREST CRT, and CISSP certifications, has 18 published CVEs in the wild, and presents research at DEFCON and BSIDES. For the broader credential-theft economy and stealer-log volume that anchors this pricing, see Compromised Credential Statistics 2026.