Stolen Data Prices on Dark Web: The Complete 2026 Price List

Everything you've ever typed into a browser, every password you've ever saved, every login your employees use daily—it all has a price on the dark web. And the prices reveal exactly what attackers value most. Understanding the dark web market for stolen data is the first step to protecting what's most valuable.

The Dark Web Marketplace — Brief Overview

The dark web didn't invent the market for stolen data—it just made it efficient. Before Silk Road (shut down in 2013) and AlphaBay (shut down in 2017), selling stolen credentials and personal information was a fragmented, dangerous business. Buyers and sellers didn't trust each other. Transactions were unreliable.

Then came marketplaces that imposed order on chaos. They offered escrow services, reputation systems, and guaranteed delivery. Genesis Market became notorious for selling access credentials—data that allowed anyone to impersonate legitimate users by hijacking their browser sessions. Other major markets like Hydra (still active on Russian-language dark web) and newer platforms on Telegram offer similar services.

When law enforcement shuts one marketplace down, another opens within weeks. The business model is too profitable to disappear.

What's important to understand: The dark web pricing you see today is standardized. A credit card number doesn't have wildly different prices across different sellers. The market has reached equilibrium. These are the prices.

The Price List — What Your Data Is Worth

Data Type	Price Range	Notes
Credit/debit card (basic)	$5–$20	Higher for US Amex cards; includes CVV, expiration date, cardholder name
Online banking credentials	$40–$2,000	Scales dramatically with account balance and institution; European banks command premium
Corporate VPN credentials	$500–$3,000	Depends on company size and industry; financial/healthcare higher
RDP access	$200–$15,000	Remote Desktop Protocol; scales with company revenue and network criticality
Email account access	$1–$8	Gmail, Outlook, corporate email; corporate accounts at high end
Healthcare records (EHR)	$200–$1,000 per record	10–50× more valuable than credit cards
Social Security Number	$2–$30	US SSN; EU national ID similar value
Passport scan	$10–$40	Any country; used for identity fraud and account takeover
Corporate email domain dump	$10–$100 per 1,000	Depends on company size and industry; financial/tech premium
Full identity package	$15–$150	Name, DOB, SSN, address, phone—everything needed for identity theft
Executive dossier	$500–$5,000	CEO/CFO with personal details, family info, financial statements
Ransomware deployment service	$400–$1,500	RaaS (Ransomware as a Service) affiliate fees for network access
Initial network access	$200–$100,000	Scales with company revenue; entry point for ransomware deployment

Why Healthcare Records Cost More Than Credit Cards

The asymmetry is striking. A healthcare record is worth 10–50 times more than a stolen credit card. Why?

Credit cards can be cancelled instantly. Fraud department gets a report, card is frozen, new card arrives in 5 days. The stolen data becomes worthless.

Medical records cannot be changed. Your Social Security number, date of birth, address, diagnoses, medications—these are immutable. Once stolen, they're permanently compromised. An attacker can use them years later.

Here's what makes medical records so valuable:

Insurance fraud: Use someone else's policy to get prescriptions, treatment, equipment billed to their insurance
Prescription fraud: Fill controlled substance prescriptions in the victim's name
Identity theft: Medical records contain everything needed to open credit accounts
Blackmail: Sensitive health information (mental health treatment, STDs, addiction) can be weaponised against executives
Denial of service: Criminals can deliberately pollute someone's medical record, causing them real harm in future treatments

The average healthcare record value per industry reports: $250 per record. For a hospital system with 10,000 patient records compromised, that's $2.5 million in dark web value. Compare that to a credit card breach of the same size: $50,000 in stolen card numbers.

Healthcare data is so valuable that health insurance companies now routinely negotiate cyber insurance premiums based on specific dark web monitoring for medical record exposure.

What Makes Corporate Credentials More Valuable

Not all corporate credentials are created equal. An RDP access token for a $2 billion financial services company is worth vastly more than the same token from a 50-person startup.

Factors that determine price:

Company revenue: Financial institutions, healthcare, and tech companies command 3–5× premiums
Access level: Domain admin access > manager-level access > regular employee access
Network criticality: Access to production systems > development > administrative tools
Freshness: Recently stolen credentials > old dumps (tested and verified > unverified)
MFA bypass included: Credentials that bypass multi-factor authentication command 10–50× premiums (are almost impossible to find—most MFA cannot be bypassed)

A domain administrator credential for a financial services company with $100M+ revenue might sell for $3,000. The same credential for a small company might sell for $200.

An initial network access point for a ransomware group (the entry needed to deploy ransomware across an entire company) scales from $200 for a small company to $100,000 for a Fortune 500 company.

The Economy of Scale — Combo Lists and Bulk Pricing

Most employees don't realize this: their credentials are probably already on the dark web.

This happens through data aggregation. When a company is breached, the attacker sells the dump to one buyer. But then that buyer creates a "combo list"—combining email addresses and passwords from multiple breaches. These combo lists are sold in massive batches.

Bulk pricing:

1 million email/password combinations: ~$10
That's $0.00001 per credential

These combo lists are used for credential stuffing attacks: automated tools try your leaked password against every major website. If you reused your password (and most people do), the attacker now has access to your banking, email, shopping accounts—everything.

Fresh combo lists sell faster. Lists created in the last 30 days command 2–3× the price of older dumps. The reason: passwords that were recently exposed haven't been rotated yet.

Reducing the Value of Your Data to Attackers

If your company data ends up on the dark web, here's how to make it worthless:

MFA makes credentials nearly valueless. A password is only useful if someone can log in with it. Multi-factor authentication blocks that instantly. An MFA-protected credential might be worth $0.10 on the dark web instead of $5. Deploy MFA everywhere.

Rotating credentials quickly after dark web detection neutralises exposure. If you discover your data on the dark web and reset passwords within hours, the credentials are already dead. The attacker can't use them anywhere. Update your password rotation policy and monitoring to catch dark web exposure within 24 hours.

Tokenisation of payment data. If you store payment card data in tokenised form (unique identifier instead of actual card number), a breach doesn't expose the underlying card numbers. PCI DSS requires this for large merchants—implement it even if you're not required to.

Least-privilege access limits blast radius. If a compromised account can only access a specific system, not the entire network, the value drops dramatically. Segment your network. Limit what each credential can access.

DarkVault provides the monitoring layer. You can't reduce data value if you don't know it's been exposed. Set up dark web alerts now to catch your company data, executive profiles, and employee credentials within hours of posting, not weeks or months.

Find out what your company data is worth—and who's already selling it. Run your free dark web scan now. Discover if your employees' credentials, business data, or executive information are already circulating on the dark web. Get ahead of attackers who are pricing your data this very moment.

FAQ

How do dark web prices compare to real-world financial damage?

Massively undervalue it. A stolen credit card might sell for $5 on the dark web, but the average fraudulent charge is $100–$500. A corporate RDP access might sell for $500, but the ransomware deployment that follows costs the company $2–$10 million in recovery, downtime, and fines.

The dark web price is what the attacker charges for the initial item. The real financial damage is the cascade effect: compromised credential → network access → ransomware deployment → business shutdown → regulatory fines → reputational damage. The initial data is just the first domino.

How quickly do stolen credentials get sold after a breach?

Within hours if it's a fresh, valuable dump. A breach of 100,000 employees at a Fortune 500 company will be advertised on dark web forums and Telegram channels within 24 hours of the attacker gaining access to it.

Combo lists (aggregated from multiple breaches) are sometimes sold and resold multiple times. A single breach can generate income for an attacker for years as their data gets bundled into different combo lists and sold repeatedly.

Is there a "dark web price index" I can reference?

Not officially, but security research firms publish regular reports. Comparitech, Privacy Affairs, and NordVPN publish annual dark web pricing surveys. These prices fluctuate slightly based on market conditions and supply, but the ranges I've listed here are accurate to within 10–20% for 2026.

The prices also vary by language and geography. Russian-language dark web forums might have slightly different pricing than English-language forums. But the equilibrium is surprisingly consistent across markets.