Stolen UK payment card details are now commonly sold on dark web marketplaces for around £9 (around $12), with full digital identity packs being sold for around £30 ($40), according to NordVPN.
Among the most commonly sold pieces of information are payment cards, digital passport copies (£26), digital driving licence copies (£26) and full bundles of the above and more.
Key Takeaways
- Stolen UK payment card details are sold on dark web marketplaces for around £9.
- Full digital identity packs are sold for around £30.
- Payment cards, digital passport copies, digital driving licence copies, and full bundles are commonly sold.
- UK citizens are a major target, with their data worth more.
- The best fix is to secure your online accounts.
The Dark Web Market for Personal Data
NordVPN’s research found that stolen payment card details are being sold on dark web marketplaces, with prices starting at £9. This is a concerning finding, as it shows that personal, sensitive information is easily accessible to criminals.
“When people hear that stolen data is selling for the price of a coffee, it can sound almost trivial,” CTO Marijus Briedis wrote, “but for criminals, it can go on to commit identity theft, account takeovers, credit application and loan fraud, phishing campaigns and more.”
These marketplaces operate on encrypted networks, making them difficult to police. Vendors list stolen data like product listings on e-commerce sites, often with ratings, reviews, and even customer support. Some listings include guarantees about the validity of the data — for example, a “fresh” card that’s still active or a login with two-factor authentication already bypassed.
The £9 price tag typically includes the card number, expiration date, CVV, and sometimes even the cardholder’s name and billing address. That’s enough to make online purchases, especially on platforms with weak fraud detection. More advanced bundles include access to online banking portals or merchant accounts, which sell at a premium.
Full digital identity packs, priced around £30, go further. They combine payment details with government-issued documents like passport and driving licence scans. These are often copied from official sites, identity verification platforms, or stolen from cloud storage. Once assembled, these packs let criminals open new accounts, apply for loans, or rent property under someone else’s name — all without ever meeting a human.
Prices vary depending on the completeness and freshness of the data. A “fullz” package — industry slang for complete identity data — might include employment records, utility bills, or social security numbers if sourced from international leaks. But even the basic UK bundles are enough to pass many automated verification checks used by banks and fintech apps.
Why UK Citizens Are a Major Target
NordVPN found that UK consumers are among the most valuable, with payment card data priced “slightly above” the European median and identity documents coming in with “comparatively high prices.”
This is a concerning finding, as it shows that UK citizens are disproportionately targeted by data thieves.
One reason is the UK’s high rate of digital banking and e-commerce adoption. More transactions mean more data trails, and more entry points for attackers. UK consumers use contactless payments, mobile banking apps, and online credit applications at some of the highest rates in Europe. Each interaction creates a new opportunity for data to be intercepted or leaked.
Another factor is the structure of the UK financial system. Many banks and lenders rely on third-party identity verification services that store personal documents in the cloud. While convenient, these platforms have been breached before, and copies of scanned IDs often end up in bulk databases sold on the dark web.
Also, UK identity documents are widely accepted across Europe and beyond, making them valuable for cross-border fraud. A forged UK passport or driving licence can be used to open bank accounts in other countries or gain access to services with laxer verification processes. That increases demand — and drives prices up.
How to Stay Safe Online
NordVPN suggests using unique passwords for every account with multi-factor authentication on top. Replacing traditional passwords with passkeys is a big win for consumers, because they can’t be stolen and copied from password managers and the underlying technology relies on matching an account with your device.
Passkeys work through public-key cryptography. Instead of storing a password on a server, your device generates a unique cryptographic key pair. The private key stays on your phone or laptop, and the public key is shared with the service. Even if a hacker gets the public key, they can’t reverse-engineer the private one. This makes phishing and credential stuffing attacks far less effective.
Reviewing bank statements frequently to spot unexpected charges can also help identify attacks – NordVPN plugged its own Dark Web Monitor as a similar type of tool that alerts users when sensitive personal data hits a dodgy marketplace.
The tool scans dark web forums, marketplaces, and chat channels for email addresses, phone numbers, and ID document references. When a match is found, the user gets an alert. It won’t stop the sale, but it gives people a chance to act — freezing cards, changing passwords, or reporting fraud before more damage is done.
What This Means For You
Stolen data can sell for as little as £9, making it a low-cost and low-risk option for criminals to commit identity theft and other cybercrimes. This means that it’s essential to secure your online accounts and monitor your bank statements frequently to spot unexpected charges.
Use unique passwords and multi-factor authentication to protect your accounts, and consider replacing traditional passwords with passkeys for an added layer of security.
What This Means For You: NordVPN’s research highlights the importance of staying vigilant online and taking steps to protect your personal data. As the dark web market for personal data continues to grow, it’s essential to stay informed and take action to protect yourself.
For developers building consumer apps, this pricing model changes the threat landscape. If a single record can be bought for under £10, attackers can afford to run large-scale, automated fraud campaigns. A fintech startup offering instant credit checks might see a spike in fake applications — not because their system is flawed, but because the cost of testing stolen identities is nearly zero.
Founders in the digital identity space need to rethink verification. Relying on document scans alone is no longer enough. Liveness detection, device fingerprinting, and behavioral biometrics should be layered into onboarding flows. Even then, assume that some fraudsters will get through — so monitoring for unusual activity after sign-up is just as important.
For individual users, the risk isn’t just financial. A stolen passport copy can be used to create deepfake videos, synthetic identities, or blackmail material. Once that data is out, it’s nearly impossible to pull back. That’s why prevention — strong security hygiene, limited data sharing, and proactive monitoring — is the only real defense.
A Concerning Trend
As identity theft becomes more quiet and incremental, it’s becoming increasingly hard to become aware of an attack. Small pieces of leaked information end up being combined to form a bigger picture, leading to larger identity profiles.
This is a concerning trend, as it shows that data thieves are becoming more sophisticated and stealthy in their approach.
In the past, identity theft often involved big, noticeable moves — a criminal opening a credit card in your name, maxing it out, and disappearing. Now, attacks are more gradual. A fraudster might use your card to make a £5 subscription, then another for £8, and so on. These small charges often go unnoticed, especially if you’re not checking your statements closely.
Over time, the same actor can use your identity to build trust with financial institutions. They pay the bills on time, increase credit limits, and eventually request larger loans. By the time the victim notices, the damage is widespread and harder to reverse.
This “slow burn” method also applies to account takeovers. Instead of immediately draining a bank account, a hacker might log in once a month, make a tiny transfer, and stay under the radar. They could change the mailing address, update recovery emails, or disable alerts — all while appearing like the real user.
What Happens Next
The current pricing suggests the supply of stolen data is high and growing. As long as companies and individuals fail to secure their accounts, the dark web market will keep expanding. The next phase might involve AI-generated identity profiles trained on real stolen data, making detection even harder.
Regulators are starting to respond. The UK’s Information Commissioner’s Office has increased fines for data breaches, and new rules around digital identity verification are expected. But enforcement is slow, and penalties often come after the data is already out.
On the technical side, wider adoption of passkeys could reduce the value of stolen passwords — but only if services support them. Apple, Google, and Microsoft have built passkey infrastructure into their ecosystems, but many smaller platforms haven’t adopted it yet. Until that changes, password-based accounts will remain the weakest link.
Another open question is how insurers will respond. As identity theft claims rise, personal fraud coverage could become more expensive or harder to get. Some insurers already offer dark web monitoring as part of their policies — a sign that the threat is being taken seriously.
What’s clear is that this isn’t a problem that will go away on its own. The economics of data theft are too favorable for criminals. The only real counterforce is better personal security, smarter detection systems, and faster response times — all of which require ongoing attention.
Conclusion
NordVPN’s research highlights the importance of staying vigilant online and taking steps to protect your personal data. As the dark web market for personal data continues to grow, it’s essential to stay informed and take action to protect yourself.
Don’t wait until it’s too late – take action now to secure your online accounts and protect your personal data.
Sources: TechRadar, [one other verifiable publication]
