
Dark Web Price Index 2020 - known
https://www.privacyaffairs.com/dark-web-price-index-2020/
======
bilbopotter
Hitman-for-hire darknet sites are all scams. This wired article explains how
these offerings are all scams.

[https://www.wired.co.uk/article/kill-list-dark-web-
hitmen](https://www.wired.co.uk/article/kill-list-dark-web-hitmen)

~~~
zelly
The best darknet hit-for-hire idea I've seen is the one that uses a prediction
market. You publicly bet $500k that Joe is not going to die in 1 week. Whoever
takes the other side of that bet has an interest in making Joe die.

(Assume the prediction market is completely decentralized and untraceable.
Assume there is an accurate way to determine the outcomes of the events in a
manner compatible with being untraceable and decentralized.)

~~~
jhardy54
Assuming the prediction market _isn 't_ untraceable, would this be legal?

If Joe dies and someone gets $500,000 richer I'm sure the police would be very
interested to investigate the transaction, but would the bet itself actually
violate any laws?

~~~
michaelmrose
Laws aren't programs and judges and juries aren't required to interpret them
like a robot. Odds are that a reasonable jury would find you had hired a
hitman and just convict you and move on.

Please see people who are convicted on limited or circumstantial evidence
because everyone is pretty sure they did it. Example Hans Reiser.

~~~
jhardy54
> Laws aren't programs and judges and juries aren't required to interpret them
> like a robot.

I understand that HN and Reddit like to repeat this fact, but it's really not
a useful answer to the question I asked. I think you're saying "no, it's not
illegal", but you've masked that opinion with trivia.

> limited or circumstantial evidence [...] Hans Reiser

Reiser plead guilty to murdering his wife and disclosed the location of her
shallow grave. I'm not sure how limited or circumstantial that is.

~~~
michaelmrose
Reiser pled not guilty and successfully eliminated all conclusive evidence of
his guilt. After they convicted him anyway he disclosed the location of her
shallow grave.

I don't think it's masking the issue with trivia at all. If you conspire to
kill someone or indeed to commit any crime and your defense rests on a cute
use of the law to remain technically on the side of the law while obviously
trespassing beyond it you are only as safe as you can convince the jury you
are.

If you are more interested in the actual law we could look at justice.gov

[https://www.justice.gov/archives/jm/criminal-resource-
manual...](https://www.justice.gov/archives/jm/criminal-resource-
manual-1107-murder-hire-offense)

Section 1958 renders it illegal: 1) to travel or use facilities of interstate
or foreign commerce; 2) with intent that a murder in violation of State or
Federal law be committed;

Looking at my state WA states law

RCW 9A.32.030 Murder in the first degree. (1) A person is guilty of murder in
the first degree when: (a) With a premeditated intent to cause the death of
another person, he or she causes the death of such person or of a third
person;

If you in effect arranged for someone to die by betting a large sum of money
on a prediction market no judge or jury will pick nits and disregard your
intent while placing such a bet.

------
Taek
One of the biggest takeaways from this for me is that PayPal has awful
security when it comes to compromised accounts. The only reason compromised
accounts would trade for prices that high is because hackers have a high
success rate of stealing funds from them, and a low chance of getting caught.

Credit cards and bank credentials being worth comparatively much less means
that hackers don't have easy ways to secure the funds - either there's a high
risk that the transaction is reverted, or there's a high risk that the hacker
gets caught and goes to jail. You can tell it's not just an effort issue
because the value of the accounts barely scale as the amounts in the accounts
increase.

~~~
awakeasleep
It's hard to parse your take, I think the phrase 'security' must be
overloaded.

Considering there are ~325 million active paypal accounts, wouldn't there be a
huge supply if their security, overall, was lax?

And furthermore, isn't the security of a criminal getting money out of the
system only equivalent to getting the money through banks?

~~~
notatoad
>wouldn't there be a huge supply if their security, overall, was lax?

i don't think normal demand curve applies to stolen bank accounts. the value
of a stolen account would be the average amount of money you can expect to get
out of it, regardless of how many stolen accounts are available. An increase
in supply wouldn't make that any different.

------
TheAdamAndChe
It scares me that posts like this always write of Tor like it's not
compromised.

I browsed Tor regularly between 2011 and 2013. Late 2012 and early 2013
brought the most precipitous drop in deviant material. Before then, you
couldn't throw a stone without coming upon CP(I avoided it like the plague but
knew it was there), you could buy literally any drug on the Silk Road safely,
and you could easily find bomb-making and asymmetric warfare information.
Nowadays? Not so much.

~~~
GordonS
> Before then, you couldn't throw a stone without coming upon CP(I avoided it
> like the plague but knew it was there), you could buy literally any drug on
> the Silk Road safely, and you could easily find bomb-making and asymmetric
> warfare information. Nowadays? Not so much.

I'm sure CP existed and exists on the dark web, but I think it's an
exaggeration to say "you couldn't throw a stone without coming upon CP". A few
years back I spent quite a bit of time on tor (research purposes), and
thankfully never once just stumbled upon CP - I'm sure it's there, but you're
going to have to go looking for it.

While Silk Road isn't around any more, other drug marketplaces pop up as soon
as one dissappears - it's still very, very easy to buy any drug you want. Next
day delivery of heroism? Easy. You've 3 big threats with buying drugs on the
darkweb though:

1) The site pulling an exit scam, dissappearing with all the escrowed funds 2)
Your seller pulling an exit scam, taking money for as long as possible without
sending any drugs, then leaving the market 3) The site being compromised by
the feds - it's actually quite difficult to run a watertight site on the
darkweb, so this does happen

~~~
TheAdamAndChe
_I think it 's an exaggeration to say "you couldn't throw a stone without
coming upon CP"._

It was on every single Hidden Wiki at the time.. it _was_ everywhere, and
commonly linked to from sites like 4chan.

 _other drug marketplaces pop up_

Sure, but nothing like the Silk Road. In a winner-take-all market like the
online marketplace market, you would expect a top dog to emerge.

When did you do your research? The difference I noticed began late 2012.

~~~
GordonS
It was post Silk Road that I started reading researching - I forget exactly,
but may around 2015/2016?

There were huge markets after Silk Road, though admittedly I don't know how
size compared to Silk Road (e.g. AlphaBay, Agora, Nucleus, Hansa).

~~~
qes
AlphaBay was like 10x the size of the original Silk Road.

DNM's haven't been the same since the busts of AlphaBay and Hansa in close
succession.

------
bawolff
> Avoid public or unsecured WiFi. If you must log into an account on a network
> you don’t 100% trust, use a VPN to encrypt all communications. Even bank
> websites can be forged to be almost undetectable if an attacker has
> administrative access to the network you’re using.

I think we should stop fear mongering over shady wifi. In a world with HSTS
and CT, these types of attacks ars incredibly difficult to pull off.

~~~
scrose
Aren’t you assuming that users are only navigating to HTTPS sites and entering
information? That’s unfortunately not the case. That also ignores the fact
that having information about general activity can in itself be a privacy
concern, whether or not that information is readable.

~~~
bawolff
I am assuming that users go to their bank website by typing it into google and
then clicking on their bank as a result.

Google is HSTS. The bank may or may not be (what a sad state of affairs, but i
digress) but the link from google will at least be https.

What websites do you have in mind that are not https and that average users
enter personal information that could lead to identity theft on?

> having information about general activity can in itself be a privacy
> concern, whether or not that information is readable.

It definitely can be in some threat models. In the context of average user
being the target of drive-by identity theft, i struggle to see a realistic
threat model for traffic-analysis of encrypted network traffic.

------
rwmurrayVT
You would be very hard pressed to find a cloned card + PIN anywhere. That's
the holy grail and information like that would never find it's way outside of
a team. Think about how easy it is to go to an ATM and use it.. Why would you
sell that information for $25?

The rest of it seems fairly accurate based on jstash/unicc/etc.

~~~
skim_milk
Sure, you can get this data, but you also have to test what credit cards work
and what don't. You can't just go to an ATM and start working through 50
credit cards you stole until one worked without something noticing. I'm
assuming a lot of the cost is sunk to just testing if the credit cards even
work and how well their fraud detector/max purchase limit is set up, which is
very costly, so labor cost might be very high compared to the raw $25-per-
number.

Some time ago I accidentally stumbled upon how some organized crime ring
determined which credit cards worked. Someone in my party asked the Uber
driver one night what other gigs they do for money. He said he uses this one
card to get 40% cash back. Of course I asked more questions being the only one
in security at this party:

He starts talking saying he goes around to different, small, local businesses
- but never visiting the same place twice - and uses this card to pay for his
friends' food, splitting the bill, but keeping the cash back rewards.
Sometimes the card is rejected and he has to keep trying until it works
finally. The actual credit card has to frequently connect to his phone by
pushing a button on the card to sync with his phone to make purchases. Of
course what his phone is doing is downloading a backlog of CCN's which then is
sent to the credit card to change the magnetic strip dynamically - completely
unknown to him he's testing if credit card numbers are working and getting
paid for it. Genius scam, but that's what this one specific crime ring has to
pay in order to check the availability of stolen credit card numbers.

~~~
inetknght
Does he get a bill and have to pay off the card? I assume that would _also_ go
to stolen bank accounts.

~~~
skim_milk
I couldn't tell 100% if he was "in" on the scam or not - has he really never
thought of why they tell him to go to distant restaurants, never returning,
and why the card is always declined multiple times, and why the cash back is
THAT HIGH? He did give me a referral as if he was trying to sell this idea but
I didn't get very far in their signup (first question: my full name. pulled
the plug there) and he introduced this topic as if he was "working" on this
"technology" that I had to ask a dozen questions to pry open before he even
got us introduced to his "credit card" (either he was really working on it and
wanted to keep it secret from us actual techies, or knew something was sketchy
and didn't want people to know he was doing shady stuff, or he genuinely
thinks he is beta testing some legit technology and getting rewarded for it
but didn't want to immediately go into detail)

But if he isn't in on the scam and does pay off his card, funny enough, that
must mean all of his money is going directly to the crime ring. Two birds with
one stone!

------
darth_avocado
I love the lady in the comments section, just being boss and looking for tips
to become a criminal

------
itchyjunk
If you get on torsearch or similar tor search engines, you see ads for similar
stuff. You also see links in forums and such for places selling what you want.
These are the types of prices the ad's themselves claim. Is the author taking
all those numbers at face value? Or is this some more in-depth research where
it was possible to purchase one or more services? If it's former, I don't find
these numbers to mean much.

The links can be dead by the time you get to them. You don't know if it's just
another honeypot. You don't know if you'll get what you pay for.

~~~
bilbopotter
Exactly the author didn't buy a single thing. Honeypot scams all the way.

~~~
pmiller2
Do you really expect them to actually make a purchase, and then admit to at
least $NUMBER_OF_ROWS_IN_TABLE crimes in print?

~~~
xorcist
Maybe they ordered items at random it could be art?

[https://wwwwwwwwwwwwwwwwwwwwww.bitnik.org/r/](https://wwwwwwwwwwwwwwwwwwwwww.bitnik.org/r/)

------
hashmal
How can you build a dark web price index and not mention drugs at all?

~~~
prodmerc
You don't even need the dark web these days haha

I bought an expensive T-shirt a long time ago from a rather legit looking
apparel company (nice website, LTD company/bank account).

Learned the right words on Reddit, hit up Instagram and started looking for
and messaging people. Got a few replies, went with the one who had the most
legit looking photos.

After a few questions on WhatsApp (yeah, really, lol) got directed to the
website and bought the right item... via direct debit because their payment
processor was "down".

Big risk on my part, I guess, my plan if popo called was to just say "hey I
only ordered a t-shirt!"... I did not think it through very well.

Got it pretty fast (Royal Mail tracked and signed) and found a gift pack of
"Revels" inside. How nice of them!

It seems rather risky for them, wouldn't it take just one guy to talk? Or
maybe the seller was new to the business.

Tbf, setting up a company, bank account and shipping, all while staying
anonymous is extremely easy (but not legal) in the UK compared to the rest of
EU.

~~~
hashmal
Don't give everyone the secrets! ;)

Joking appart, my question wasn't to learn about drug prices for "practical
use". I just think it's an interesting subject: how the web changes
underground/illegal markets, what impact it has, etc.

There are lots of counterintuitive things in that field (look at how Portugal
handles it), which makes it even more interesting to me. "war on drugs vs war
on drug users".

------
netsec_burn
What makes malware "low quality", "high quality", "premium", 70% reliability,
etc. Sounds like it's all low quality to me, because outside on the regular
market zerodays can be 100k-1M or more. If I remember correctly, Alphabay used
to be where darknet zerodays were listed before it was taken down.

~~~
tmikaeld
Considering the enormous amount of un-patched android phones, I'd assume that
low quality is considered a low-end phone being malware controlled.

So what it can do is as limited as it's hardware and connectivity?

------
lifeformed
Why do bank accounts with money in them sell for less than the amount in them?
Is it counterbalanced by the risk of withdrawing from them?

~~~
lukeramsden
Yes, not only is it very risky to attempt to withdraw money from them, often
times you won't manage to get the full amount out before fraud systems go off.
Same with credit cards.

~~~
wmeredith
This was my thought, admittedly knowing little about this world. E.g. a stolen
item's street value is a fraction of it's actual used goods value. It's only
worth what you can get in cash within hours.

------
ed25519FUUU
The most surprising thing to me on that list was the AAA emergency road
service membership card for $70.

Why would this be so valuable? Stealing somebody else’s free emergency tow?
Isn’t a membership itself only like $120 a year?

~~~
nojito
It's used to commit insurance fraud.

------
qwerty456127
Why hacked Facebook/Gmail/Instagram/etc accounts are so expensive?

~~~
cycomanic
Follow up question, if they are so important why has no-one created a scheme
of scamming the scammers. Just create lots of new arbitrary Gmail accounts and
sell them on the dark web? How do they prevent that?

~~~
ndr
What makes you think this is not the thing on sale?

~~~
tripletao
A hacked Gmail account and an empty new account both have commercial value,
but with very different applications. For the quoted price (~$150), a hacked
real email account would have to be full of personal information useful for
identity theft type fraud, or able be used to gain further control of other
accounts that support password reset by email. An empty new account ("PVA",
phone-verified account) is good only for spamming, registering fake accounts
with services that require an email address, etc., with typical pricing in the
tens of cents. PVAs are closer to commodities, while the pricing for a hacked
real account would vary a lot with the victim (child vs. college student vs.
investment banker vs. careless cryptocurrency enthusiast vs. ...).

Of course nothing stops an anonymous seller from defrauding an anonymous buyer
in a one-off transaction. But sellers operate under some kind of semi-stable
pseudonym, so they do care about their reputations. They might also be selling
on a market where some third party would look at the goods provided and
adjudicate a dispute.

------
b1ur
I haven't explored the darknet in over 5 years, but some of these prices seem
a bit high. Around 2014-2015 I saw PayPal accounts listed for $3 a piece ($5
if you bundled it with SOCKS proxy access). Which could mean a couple things:
PayPal security has gotten tighter, restricting the supply of accounts; PayPal
security has actually gotten worse, increasing the actual value of the
accounts; or maybe these guys are doing "market" research and determined that
their profit margins were higher charging $25 for the same product. It could
also mean that the writers of this article didn't do enough digging to find a
"better" deal. Interesting read but I'm not sure how much I trust their
numbers

~~~
JamesBarney
Couldn't it also be that the buyers are better at extracting value from the
accounts.

------
SV_BubbleTime
> The “quality” [counterfeit money] tend to cost around 30% of the banknote
> value.

This was the most surprising to me. Seems like it’s extremely high priced. You
get a 30% discount for using counterfeits and potentially getting the secret
service on you? Maybe that is a reflection of its quality but... Yea, no
thanks.

Edit: Ohhhh My bad read it wrong. 70% off... better but these would have to be
amazing quality.

~~~
wmf
30% of the banknote value = 70% discount. I suppose if you're spending the
cash on something illegal anyway the Secret Service is less of a concern.

~~~
SV_BubbleTime
You’re right. I’m an absolute idiot.

So $6 actual for a $20 bill. I see how that could be tempting to someone but
I’m pretty sure it would have to be somewhere outside the US, you don’t mess
with fake money here.

------
wolco
What shocked me is no price for youtube followers. I guess twitter, ig matter
where youtube followers don't.

~~~
crznp
Rather: fake youtube followers have a negative ROI.

Perhaps because they don't matter, but perhaps because they are more difficult
to create or Google is better at spotting fakes.

~~~
coronadisaster
Or maybe Twitter and IG dont care about fakes...

~~~
b1ur
That's my guess. On twitter/ig, advertising deals would be done directly
between accounts and advertisers, so the social media provider itself wouldn't
really care; fraudulent engagement numbers are third-party. YouTube is
different, where the host also provides the advertising service, and fake
numbers hurt Google's bottom line. So they're probably both harsher on fakes
and better at detecting them

------
anonymousDan
Can anyone point me to some of the 'how to cash out' guides mentioned? Doing
some research in this area and quite interested to learn about techniques used
in practice and how they compare to those proposed in academic literature.

------
mullen
> AAA emergency road service membership card $70

I think the renewal for my AAA membership was $74. Why would anyone pay for a
fake membership for $70?

~~~
janekm
I’m going to guess that the real AAA card would have your actual name on it.

------
malwarebytess
Why is malware listed in quantities? lol

Did they scrape data from various black market sites naively?

------
bilbopotter
Let's say I decide to pay $800 for ddos attack. Provider pockets the $800 and
doesn't carry out the attack. What's my recourse? Contact customer service?
Nope. Contact the police? Hmm. You see the whole thing is a scam. There are
plenty of articles online about it.

~~~
evook
It's not a scam. Those scenes live by reputation alone. If you need something
as a once in a lifetime service you are well advised to use a trusted third
party within the scene. Those are either trade mods or well known veterans.

If you become familiar and known in the scene the risk of being scammed is
very low and if it happens it's more like a "one last money grab and I am done
thing" where the person offering the service will disappear. But since this
works once per online persona this really doesn't happen that often.

~~~
kace91
how does one even begin to become known in a scene if you don't even know
where (or if) it exists?

Not that I'm planning to purchase any of those services of course, I'm just
curious because it sounds like there's no possible starting point, unless by
pure chance one of your personal friends happens to be already involved in the
area and lets you know.

~~~
colinmhayes
Dark web markets have escrow systems as well as review systems which show how
much each customer paid for the service. One can see if a vendor is well
reviewed and it's unlikely the reviews are astroturfed if they are on large
transactions because the fees on these markets are relatively high.

------
vmception
One thing I hate about the underground is the blatant racism to deny service,
and then having to pretend that this is not a reflection of the general
society but not being able to talk about it.

From forgers to illegal sex workers. Even the rationales are flimsy.

~~~
pmiller2
This seems like an interesting comment, but I don't really understand it,
probably from lack of context. Are you saying darknet sellers discriminate
based on race for reasons that don't make a lot of sense? Or am I
misunderstanding?

~~~
vmception
some darknet sellers and illicit marketplaces discriminate against certain
races, while I never see other certain races singled out at all.

there are easy rebuttals to help justify why different kinds of service
providers discriminate in those specific trades if I elaborated at all, but
the rationales behind them still don't make sense.

I only posted as it might be a shared experience for some people passing
through here, and insightful to people that haven't experienced it. If you are
in the habit of questioning the validity of a reality you personally haven't
perceived, then this comment just isn't for you.

~~~
GordonS
I'm probably missing something here, but I don't really understand how service
providers in an anonymous marketplace can discriminate based on race - how
would they know the race, gender or any other attribute of their buyer?

~~~
jasonwatkinspdx
Allow me to decode: I believe they're talking about how some sex workers have
a blanket policy against black men.

~~~
GordonS
Ah right, I didn't realise we'd moved from the darkweb to the real world -
comment makes more sense in that context, thanks.

------
Thorentis
I don't believe any of this. $20 for a credit card that has up to $5000 on it?
Which criminal would sell something worth $5000 for $20? Even PayPal accounts
with over $3000 selling for $100? Makes absolutely no sense. The other line
items about Malware with "slow spread" is absurd. This is BuzzFeed level cyber
journalism.

~~~
lukeramsden
I have no idea how these prices were calculated, but I can tell you that the
prices for the credits cards are quite correct (at least approximately). $20
for a credit card with $5k limit is not worth $5k - you've got to actually get
value from it, usually by trying to buy goods or bitcoin with it, which is
very risky, time consuming, requires a lot of skill and effort, and you won't
get the full $5k from it. The people selling them are presumably "hackers"
looking to make money off of stolen PII/FI.

~~~
lifeformed
Couldn't you use card credentials to get a cash advance at an ATM? I am
assuming a chip-less card's magstripe just has the credentials on it, so it
should be easy to copy? I guess the banks fraud systems would catch an unusual
withdraw.

~~~
xondono
\- You could, but you'd be exposing yourself, so you'll want to send a mule in
your place.

\- That adds extra risk, so you might have to pay someone to scare that mule
into doing their part.

\- You'll want to get that laundered somehow, so you'll want to arrange some
nice path that leaves no trail to you, maybe through Western Union?

And so the costs keep increasing and your margin goes down. The key of the
game is to setup this kind of stuff __at scale __. Then it doesn 't really
matter if you're making only 60$ from each card, as long as it covers the
cost.

