Category
Dark Web Services: current Average Prices (2026 Update)
Introduction
Back in 2022, I published our first deep dive into dark web pricing. At the time, the landscape was already complex, but it was still possible to draw fairly clean lines between the categories of goods and services being traded. Four years on, those lines have blurred considerably.
The underground economy has matured. Prices have shifted, new product categories have emerged, and the operational sophistication of threat actors has increased significantly. Ransomware-as-a-Service is now an established business model. AI-generated phishing kits are being sold alongside traditional credential dumps. Crypto drainers have become a category in their own right. And stealer log subscriptions are now one of the fastest-growing products on the dark web.
13th May 3pm UK Time
Webinar: 2026 Dark Web Pricing Report
For this updated report, we conducted an exhaustive crawl using our own SOS Intelligence DARKSEARCH platform, scanning active dark web marketplaces, forums, and paste sites throughout Q1 2026. We supplemented this with direct marketplace access via Tor and cross-referenced our findings against published industry research from PrivacySharks, DeepStrike, Privacy Affairs, and Trustwave. This time around, we have also expanded our scope significantly, covering narcotics, firearms, counterfeit goods, cryptocurrency fraud tools, and forged documents alongside the traditional cyber-focused categories. The result is what I believe to be one of the most comprehensive snapshots of dark web pricing available today.
So whether you are a security researcher, an MSSP building threat briefings, or a CISO trying to quantify the risk exposure your organisation faces, this should give you a solid, data-backed foundation.
Methodology
Our approach follows the intelligence cycle: direction, collection, processing, analysis, and dissemination. The direction phase was straightforward: understand what is being sold on the dark web in 2026 and at what price points.
For collection, we used the SOS Intelligence API v2 to run targeted keyword searches across our indexed dark web corpus. This includes content from over 50 active marketplaces, forums, paste sites, and Telegram channels. We queried across 20+ distinct product categories, including stolen financial instruments, identity documents, hacking services, malware, access brokers, narcotics (cocaine, heroin, methamphetamine, cannabis, MDMA, and prescription drugs), firearms, counterfeit goods, cryptocurrency fraud tools, and forged documents. We also accessed active Tor marketplaces directly to verify listed prices against real product pages. Key marketplaces analysed include Tor Market, Tor Amazon, Abacus Market, TheBreakingBad, Gun and Shell Factory, and several standalone vendor storefronts.
During processing and analysis, we normalised prices to USD (where vendors listed in EUR, GBP, or cryptocurrency) and calculated averages across multiple vendors where possible. Where a product category had significant variance (for example, initial access pricing can range from $500 to $50,000+), we present the typical range rather than a misleading average.
One thing worth noting: prices on the dark web are not static. They fluctuate based on supply, demand, law enforcement activity, and even seasonal patterns. What we present here is a snapshot, accurate to Q1 2026, and should be treated as indicative rather than definitive.
Stolen Financial Instruments
Financial data remains the bread and butter of dark web commerce. Credit card data, bank account credentials, and payment platform logins continue to dominate marketplace listings. The availability is enormous, driven in large part by the explosion in stealer log infections and large-scale data breaches.
Credit card data with CVV (card-not-present fraud) remains cheap and abundant. A single card with CVV typically sells for $10 to $40, depending on the issuing bank, card type, and associated balance. Cards with higher balances or from premium issuers command a premium. Cloned physical cards with PIN are a different proposition entirely, typically ranging from $100 for a single card with a $2,500 to $3,500 balance, up to $600 for a batch of 10 cards with a combined balance of $33,000 to $35,000.
| Product | Price Range (USD) | Source/Notes |
| Credit card with CVV | $10 – $40 | Per card, card-not-present |
| Cloned card with PIN (single) | $100 – $250 | $2,500 – $3,500 balance |
| Cloned cards (batch of 10) | $450 – $600 | $30,000 – $35,000 combined |
| AMEX Prepaid (EUR 2,500) | $105 – $510 | Price varies by vendor |
| Bank login (US) | $35 – $500 | Depends on bank and balance |
| Bank login (UK/EU) | $50 – $1,000+ | Premium for verified accounts |
| Bank transfer service ($10K) | $500 | Vendor guarantees delivery |
| PayPal account (verified) | $15 – $55 | Balance $2,500 – $25,000 |
| Crypto exchange account (Kraken) | $249 | Fully verified |
| Crypto exchange account (general) | $90 – $250 | Coinbase, Binance, etc. |
Compared to our 2022 findings, the average price of stolen credit card data has dropped slightly, reflecting oversupply. Bank account credentials, on the other hand, have held steady or increased, particularly for UK and EU accounts where strong customer authentication (SCA) requirements make compromised credentials more valuable to attackers who can bypass these controls.
Identity Documents and Fullz
Fullz, complete identity packages containing name, date of birth, SSN, address, and often more, remain a staple of dark web commerce. The pricing here has been remarkably consistent over the years, which suggests stable supply chains, likely fed by the steady stream of data breaches affecting organisations globally.
Bulk purchasing drives the per-unit cost down significantly. A batch of 1,000 Social Security Numbers was listed on Tor Market at $65. Business fullz (company identity packages with EIN numbers) go for around $95 for a set of 10, which is particularly concerning for organisations worried about business identity theft and fraudulent corporate filings.
| Product | Price Range (USD) | Notes |
| Individual fullz (US) | $20 – $100 | Per identity, includes SSN |
| SSN batch (1,000 records) | $65 | Bulk purchase, specific regions |
| Business fullz with EIN (10 pack) | $95 | Corporate identity packages |
| US passport scan | $100 | Digital copy only |
| US physical passport (forged) | $3,000 – $3,800 | High-quality forgery |
| UK driver’s licence (forged) | $500 | Physical document |
| EU national ID (forged) | $300 – $700 | Varies by country |
| Medical records | $50 – $500+ | Depends on completeness |
| Selfie with ID (for KYC bypass) | $50 – $100 | Growing demand |
A notable trend in 2026 is the growing market for KYC bypass packages. These typically include a stolen identity paired with a matching selfie (often obtained from stealer logs that capture webcam images), sold specifically to bypass Know Your Customer verification on financial platforms. This is a direct response to tightened identity verification requirements, and it represents an uncomfortable escalation in the identity fraud ecosystem.
DDoS and Hacking Services
DDoS-for-hire remains one of the most accessible attack services on the dark web. Entry-level DDoS attacks can be purchased for as little as $10 per hour, making it trivially cheap for anyone with a grudge and a cryptocurrency wallet. Monthly subscription packages for sustained DDoS capability go up to $850, though most listings cluster around $200 to $500 per month.
Hacking services for hire are more variable in pricing, reflecting the range of complexity involved. Simple social media account compromises sit at the lower end, while corporate network penetration and database extraction commands significantly higher fees.
| Service | Price Range (USD) | Notes |
| DDoS attack (per hour) | $10 – $50 | Basic layer 4/7 attack |
| DDoS subscription (monthly) | $200 – $850 | Sustained capability |
| Social media account hack | $25 – $100 | Facebook, Instagram, etc. |
| Email account compromise | $100 – $500 | Corporate email higher |
| Website hacking | $200 – $3,000 | Depends on target complexity |
| Corporate network access | $500 – $10,000+ | Overlaps with IAB market |
| Phone hacking/spyware install | $300 – $1,500 | Remote installation |
| Doxing service | $25 – $200 | Varies by depth of research |
The DDoS market has become increasingly commoditised. In 2022 we reported an average DDoS service price of around $382. That number has come down, driven by competition between providers and the proliferation of botnet infrastructure. The real concern is not the price itself but how easy it has become to launch these attacks with minimal technical knowledge.
Malware, Exploit Kits, and Phishing
This is where the dark web economy has seen some of its most significant evolution since our last report. The malware-as-a-service model is now firmly established, with vendors offering everything from basic RATs (Remote Access Trojans) through to sophisticated banking trojans and zero-day exploits.
Phishing kits have become particularly interesting. AI-generated phishing templates are now being sold at a premium, with vendors marketing their kits as capable of bypassing modern email security filters. The quality of these templates has improved dramatically, making traditional security awareness training less effective than it was even two years ago.
| Product | Price Range (USD) | Notes |
| RAT (Remote Access Trojan) | $45 – $500 | Off-the-shelf, basic features |
| Banking trojan | $500 – $1,800 | Targeted at specific banks |
| Ransomware-as-a-Service kit | $500 – $5,000 | Includes builder and panel |
| Stealer log subscription | $100 – $1,024/mo | Redline, Raccoon, Vidar |
| Phishing kit (standard) | $50 – $300 | Includes templates and hosting |
| Phishing kit (AI-generated) | $200 – $800 | Bypass modern filters |
| Zero-day exploit (general) | $5,000 – $200,000+ | Price varies enormously |
| Exploit kit (browser) | $100 – $2,000 | Pre-packaged exploitation |
| Botnet rental (1,000 bots) | $50 – $200/day | For spam or DDoS |
| Keylogger | $25 – $150 | Basic to advanced features |
The Ransomware-as-a-Service (RaaS) market deserves special attention. Our platform currently tracks over 100 active ransomware groups, many of which operate affiliate programmes where the actual ransomware deployment is carried out by affiliates who pay a percentage (typically 20-30%) of the ransom to the RaaS operator. The barrier to entry for launching a ransomware campaign has never been lower, and this is reflected in the sustained growth of ransomware incidents globally.
Crypto Drainers and Mixers
This is a category that barely existed in 2022 and is now a significant segment of the dark web economy. Crypto drainers are tools designed to empty cryptocurrency wallets, typically deployed via phishing sites that mimic legitimate Web3 platforms and trick users into connecting their wallets and signing malicious transactions.
Our DARKSEARCH data turned up active listings on DNA Forums and other threat actor communities, with prices ranging from $50 for basic tutorials through to $1,000 for fully operational Solana drainer toolkits. The Tron Trap drainer tool was listed at $300, while general-purpose drainer kits sat around $200 to $500.
| Product | Price Range (USD) | Notes |
| Crypto drainer kit (general) | $200 – $500 | Multi-chain support |
| Solana drainer | $1,000 | Chain-specific tooling |
| Tron Trap drainer | $300 | Listed on DNA Forums |
| Crypto drainer tutorial | $50 – $100 | DIY approach |
| Crypto mixing/tumbling service | 1-3% of amount | Per transaction fee |
| Crypto cashout service | 15-25% of amount | Conversion to fiat |
The emergence of drainer-as-a-service mirrors the RaaS model. Operators provide the tooling and infrastructure, affiliates drive traffic to phishing sites, and profits are split. Some drainer operators take a 20-30% cut of every wallet drained. For context, wallet drainer attacks stole hundreds of millions of dollars in cryptocurrency during 2025 alone, making this one of the highest-growth criminal sectors.
Initial Access Brokers
Initial Access Brokers (IABs) continue to be a critical part of the threat landscape. These are threat actors who specialise in gaining access to corporate networks and then selling that access to other criminals, typically ransomware operators. The IAB market is essentially the supply chain for ransomware.
Pricing varies enormously based on the target organisation’s size, industry, and the type of access being sold. VPN credentials for a small company might go for $500, while domain admin access to a large enterprise can command $10,000 or more. Our 2022 report found an average of around $7,700 for initial network access. In 2026, the range has widened as the market has matured, but the median sits around $2,000 to $5,000 for mid-market targets.
| Access Type | Price Range (USD) | Notes |
| VPN credentials (SME) | $200 – $1,000 | Single organisation |
| RDP access (dedicated server) | $10 – $100 | Commodity pricing |
| Domain admin (enterprise) | $5,000 – $50,000+ | High-value targets |
| Web shell access | $50 – $500 | Depends on target |
| cPanel/hosting access | $10 – $50 | Bulk available |
| Database access (customer data) | $500 – $10,000 | Depends on record count |
| Cloud infrastructure access | $1,000 – $20,000 | AWS, Azure, GCP |
Cloud infrastructure access is the emerging high-value category here. As organisations continue their migration to cloud platforms, compromised cloud credentials have become increasingly sought after. A set of AWS root account credentials for an enterprise can be worth significantly more than traditional on-premise network access, reflecting the potential blast radius of a cloud compromise.
Stolen Accounts and Subscriptions
The market for compromised online accounts remains massive, covering everything from streaming services to social media to gaming platforms. These are largely driven by credential stuffing attacks leveraging the billions of username/password pairs available from historical breaches, combined with the output of stealer log infections.
| Account Type | Price Range (USD) | Notes |
| Netflix/Disney+/streaming | $4 – $25 | Per account, often shared |
| Spotify Premium | $3 – $10 | Bulk available |
| Facebook account | $25 – $45 | Higher for aged accounts |
| Instagram account | $25 – $45 | Followers affect price |
| LinkedIn Premium | $30 – $50 | Professional accounts |
| Gaming accounts (Steam, Epic) | $10 – $100 | Game library affects price |
| Food delivery (Uber Eats, etc.) | $5 – $20 | With stored payment |
| Email accounts (bulk) | $2 – $10 | Per account |
| VPN service accounts | $5 – $15 | NordVPN, ExpressVPN, etc. |
What strikes me about this category is how cheap everything is. A Netflix account for $4, a Facebook account for $25. The low prices reflect the sheer volume of compromised credentials available. For most consumers, the inconvenience of having an account compromised is minor. But for organisations, compromised employee accounts, particularly email and LinkedIn, can be the starting point for targeted social engineering campaigns.
Counterfeit Currency and Documents
Counterfeit physical currency continues to be traded, though the market has evolved. Our crawl of Robinhood Market found fake Euro banknotes listed from $300 for a small batch up to $1,200 for larger quantities. Western Union transfer services were listed at $200 for a $2,000 transfer, representing a 10% fee.
Bank cheque templates have also become a notable category, with templates available from as little as $5 for basic designs up to $600 for comprehensive kits that include matching security features and printing instructions.
| Product | Price Range (USD) | Notes |
| Counterfeit EUR banknotes | $300 – $1,200 | Various denominations |
| Counterfeit USD banknotes | $350 – $1,500 | Quality varies significantly |
| Western Union transfer ($2,000) | $200 | 10% fee structure |
| MoneyGram transfer | $150 – $300 | Similar fee structure |
| Bank cheque templates | $5 – $600 | Including security features |
| Counterfeit branded goods (guides) | $20 – $200 | Manufacturing instructions |
In our 2022 report, counterfeit currency averaged around $396 per $1,000 face value. The current rates are broadly similar, suggesting this market has reached a stable equilibrium. The real shift is towards digital fraud, with physical counterfeiting becoming a smaller proportion of overall dark web commerce.
Proxy and Hosting Infrastructure
Bulletproof hosting and residential proxy services continue to be essential infrastructure for cybercriminal operations. These services provide the anonymous, abuse-tolerant hosting that enables everything from phishing campaigns to command and control servers.
| Service | Price Range (USD) | Notes |
| Bulletproof hosting (monthly) | $50 – $500 | Abuse-tolerant, offshore |
| Residential proxy (monthly) | $200 – $645 | Pool of residential IPs |
| SOCKS5 proxy (per IP) | $1 – $10 | Single use or short-lived |
| VPN service (criminal-oriented) | $5 – $30/mo | No-log guarantees |
| Dedicated server (offshore) | $100 – $400/mo | Full admin access |
| Domain + hosting bundle | $20 – $100 | For phishing campaigns |
Residential proxy pricing has actually increased since 2022, when we reported an average of $645 per month. The current range starts lower but premium services now charge more, reflecting growing demand from threat actors who need residential IP addresses to bypass fraud detection systems and CAPTCHAs.
AI-Enabled Criminal Services
This is entirely new territory since our 2022 report. The commoditisation of large language models has created a new category of criminal tooling that simply did not exist four years ago. Dark web forums now host discussions and sales of jailbroken AI models, custom-trained chatbots for social engineering, and AI-powered tools for generating convincing phishing content at scale.
While we did not find as many standardised price points for AI services as for other categories (the market is still maturing), the trend is clear. AI is being integrated into existing criminal workflows, particularly around social engineering, phishing content generation, and code development for malware. Some vendors are marketing “FraudGPT” and “WormGPT” style tools, essentially LLM wrappers with the safety guardrails removed, at subscription prices of $200 to $1,700 per month.
The implications here are significant. AI lowers the barrier to entry for technically unsophisticated threat actors, increases the quality and scale of social engineering attacks, and makes it harder for defenders to distinguish malicious content from legitimate communications.
Narcotics and Controlled Substances
Dark web drug marketplaces remain one of the most active sectors of the underground economy. Our DARKSEARCH crawls in Q1 2026 revealed multiple operational marketplaces with extensive product catalogues, professional vendor storefronts, and established escrow systems. The sophistication of these operations is notable: vendor pages include lab-testing claims, customer reviews, volume discount tiers, and next-day delivery (NDD) options for domestic shipments.
Three marketplaces stood out during our research. TheBreakingBad, a dedicated vendor storefront operating with a full e-commerce style interface, offered a comprehensive catalogue of stimulants, opiates, and dissociatives with granular volume pricing. Abacus Market, a multi-vendor marketplace, carried similar inventory with slightly different pricing. Tor Market, which operates as a broader multi-category darknet marketplace (also listing firearms, documents, and hacking tools), hosted 47 drug products across multiple vendors at the time of our crawl.
Stimulants
Cocaine remains the most commonly listed stimulant. Colombian cocaine claiming 94%+ purity was available across multiple markets. Crystal methamphetamine was the second most prevalent stimulant listing, with a notably well-developed volume pricing structure from European vendors. Amphetamine paste, particularly popular on European markets, was available in both standard (74%) and premium (94%) purity grades.
| Product | Price Range | Volume Pricing | Source Market |
| Colombian Cocaine 94%+ | $50 – $80/g | Bulk from $35/g at 100g+ | Tor Market, Abacus |
| Crystal Meth 94% (Mexican) | €10/g | €80/10g, €700/100g, €5,500/kg | TheBreakingBad |
| Crystal Meth (ICE) | $99/10g | $249/25g, $1,000/100g | Abacus Market |
| Speed Amphetamine 94% | €22/10g | €90/100g, €700/kg | TheBreakingBad |
| Speed Amphetamine 74% | €10/10g | €77/100g, €555/kg | TheBreakingBad |
| 3-MMC (Metaphedrone) | €10/g | €350/100g, €3,000/kg | TheBreakingBad |
| MDMA Champagne 84%+ | $6.50 – $18/g | $8/g at 250g bulk | Abacus Market |
| XTC Pills 250mg MDMA | €12.50/10 pills | €80/100, €750/1,000 pills | TheBreakingBad |
| XTC Pills (240mg, various) | $135 – $200/10 pills | Multiple brands available | Tor Market |
Opiates and Opioids
Heroin remained available from specialist vendors, with Iranian-sourced uncut product marketed as the premium option. The pricing structure on TheBreakingBad was particularly detailed, offering nine quantity tiers from a single gram to a full kilogram. This level of volume pricing suggests these vendors are servicing both individual users and mid-level distributors.
Prescription opioids also featured prominently. Oxycontin (40mg tablets) and Percocet (5/325mg) were listed on Tor Market, though exact per-unit pricing was often obscured behind “add to cart” interfaces that required account creation to view.
| Product | Price Range | Volume Pricing | Source Market |
| Heroin Uncut (Iranian) | €22.50/g | €175/10g, €1,600/100g, €13,500/kg | TheBreakingBad |
| Heroin #3 (60-70%) | $50 – $55/3g | Mid-grade, EU sourced | Tor Market |
| Oxycontin 40mg (20ct) | $120 – $200 | Prescription tabs | Tor Market |
| Percocet 5/325mg (70ct) | $150 – $250 | Price per bottle est. | Tor Market |
| Fentanyl patches/pills | $50 – $150 | Limited listings (high risk) | Various |
Cannabis
Cannabis products dominated by volume of listings. UK-based vendors advertised next-day delivery (NDD) on multiple strains, essentially running a delivery service comparable to legitimate e-commerce. Listings included premium strains such as OG Cookies, Super Silver Haze, Gorilla Glue, and Amnesia Haze, with clear quantity tiers.
| Product | Price Range | Volume/Notes | Source Market |
| Gorilla Glue (7g) | £42 (~$53) | UK NDD available | Abacus Market |
| OG Cookies (various) | $50 – $120/quarter | Multiple vendors | Tor Market |
| Amnesia Haze (100g) | $400 – $600 | Bulk listing | Abacus Market |
| Super Silver Haze | $35 – $80/quarter | Dutch sourced | Tor Market |
| Cannabis (French market) | Varies | 192 products listed | FR marketplace |
Psychedelics and Dissociatives
The psychedelics market showed strong activity, with psilocybin products packaged in consumer-friendly formats (chocolate edibles, microdose capsules) and ketamine available from multiple vendors. LSD pricing was harder to pin down through DARKSEARCH alone, but cross-referencing with forum discussions suggests typical street-equivalent pricing in the $5 to $15 per tab range.
| Product | Price Range | Notes | Source Market |
| Psilocybin Chocolate (4g) | $40 | Consumer-packaged edible | Tor Market |
| Psilocybin Capsules 150mg (x100) | $80 – $150 | Microdose format | Tor Market |
| Ketamine S-Isomer | €10/g | €175/50g, €1,850/kg | TheBreakingBad |
| LSD Tabs | $5 – $15/tab | Forum pricing cross-ref | Multiple |
| XTC/MDMA (ecstasy, various) | €12.50 – $200/10 pills | Brand-dependent pricing | Multiple markets |
Prescription Pharmaceuticals
Beyond controlled opioids, a range of prescription medications was available. Benzodiazepines (particularly Xanax and Rivotril) were listed at a fraction of pharmacy prices. Erectile dysfunction medications (Cialis) appeared as bulk listings, likely diverted or counterfeit product.
| Product | Price Range | Notes | Source Market |
| Xanax 2mg (50 pills) | €5 – €25 | Alprazolam, likely pressed | Abacus Market |
| Rivotril 2mg (20 pills) | $15 – $40 | Clonazepam | Tor Market |
| Cialis (50 tabs) | $120 – $200 | Bulk pack, likely generic/counterfeit | Tor Market |
The drug marketplace in 2026 functions like a professional retail operation. Escrow, customer reviews, volume discounts, refund policies, and domestic stealth shipping are standard. The operational maturity here mirrors what we have seen in the cyber services space, with vendor reputation systems driving quality competition.
Firearms and Ammunition
Firearms remain one of the most sensitive categories on the dark web. Our DARKSEARCH queries returned listings from multiple sources, including a dedicated storefront called “Gun and Shell Factory” and the firearms category on Tor Market (which carried 10 products at the time of our crawl). A vendor called “GlockZ” was also active with 7 listed products.
It is worth noting that firearms sales on the dark web carry the highest scam risk of any category. Law enforcement honeypot operations are well-documented in this space, and many “vendors” simply take payment and never deliver. That said, the listings themselves are informative for understanding what threat actors believe constitutes a reasonable market price, and the availability of these listings is itself a data point worth tracking.
Handguns
| Firearm | Listed Price (USD) | Calibre | Source |
| Glock 17 Gen 4 | $499 | 9mm | Tor Market |
| Glock 19 | $450 | 9mm | Gun and Shell Factory |
| Glock 26 | $350 | 9mm | Gun and Shell Factory |
| SIG Sauer P320 | $600 | 9mm | Gun and Shell Factory |
| SIG Sauer P220 | $680 (sale from $800) | .45 ACP | Tor Market |
| Desert Eagle | $899 (sale from $1,000) | .44 Magnum | Tor Market |
| Beretta M9 | $249 | 9mm | Tor Market |
| Ed Brown Kobra | $499 | .45 ACP | Gun and Shell Factory |
| CZ TS 2 | $899 | 9mm | Gun and Shell Factory |
Long Guns and Submachine Guns
| Firearm | Listed Price (USD) | Type | Source |
| AK-47 | $800 – $1,200 | Assault Rifle | Gun and Shell Factory |
| AR-15 | $700 – $1,000 | Semi-Auto Rifle | Gun and Shell Factory |
| UZI Pro | $740 | Submachine Gun | Gun and Shell Factory |
Ammunition was also listed separately, though pricing data was less granular in our crawl results. The presence of both firearms and ammunition on the same marketplaces that sell drugs, stolen data, and hacking tools underscores the breadth of these platforms. Tor Market, for instance, carries categories for Counterfeits, Credit Card/CVV/Dumps, Documents, Drugs (47 products), Firearms and Ammo (10 products), Gadgets, and Hacking (13 products), all under one marketplace roof.
Compared to legitimate retail prices, dark web firearms are generally listed at a discount of 30% to 60% from retail, which reflects the risk premium inverted: buyers on the dark web are willing to pay less because of the high risk of scam, non-delivery, or law enforcement interception. From a threat intelligence perspective, the persistence of these listings indicates ongoing demand from individuals who cannot or will not purchase through legitimate channels.
Expanded Counterfeit and Fraud Services
Beyond the identity documents and financial instruments covered earlier, the dark web hosts a broader ecosystem of counterfeit goods and fraud services. Our expanded DARKSEARCH crawl revealed categories including counterfeit luxury goods, forged academic credentials, cryptocurrency fraud tools, and casino bonus exploitation kits.
Counterfeit Luxury Goods
Tor Market listed counterfeit luxury watches, with a Rolex Submariner Non-Date 41mm (model 124060) featured as a promoted product. Counterfeit luxury goods have historically been a smaller dark web category compared to clearnet operations, but their presence on multi-category darknet marketplaces suggests vendors are expanding their offerings to capture cross-selling opportunities from buyers already on the platform for other products.
Cryptocurrency Fraud Tools
Cryptocurrency fraud tools were among the most expensive single-item listings we encountered. The “Tor Amazon” marketplace (operating since 2019) offered an extensive catalogue including stolen Bitcoin wallets, fake USDT senders, wallet cracking tools, and compromised exchange accounts. The pricing here is particularly instructive.
| Product | Price (USD) | Details | Source |
| Stolen BTC Wallet (599 BTC) | $42,000 – $59,900 | Priced at ~0.1% of wallet balance | Tor Amazon |
| Atomic Wallet 1BTC+ | $4,000 | Pre-loaded compromised wallet | Tor Amazon |
| Bitcoin Wallet w/ Seeds | $1,500 – $6,500 | Wallet.dat with passphrase | Tor Amazon |
| Wallet.dat Passphrase Cracker | $400 | Brute-force tool | Tor Amazon |
| Flash/Fake USDT Sender | $300 – $500 | Spoofed transactions | Tor Amazon |
| BTC Mnemonic Brute Tool | £550 (~$690) | 12-phrase wallet cracker | Standalone store |
| BTC Reverse Transaction Tool | $400 – $600 | Transaction reversal exploit | Standalone store |
| Leaked Data (16B accounts) | $121,484 | Apple, Google, Binance etc. | Tor Amazon |
Financial Fraud and Money Movement
The money movement ecosystem on the dark web continues to grow. Services for laundering funds through compromised payment platforms, cloned cards, and bank transfer services were widely available. The Tor Amazon marketplace offered ATM-cloned cards with guaranteed balances, stolen Visa CC/CVV data, Binance account transfers, PayPal-to-Bitcoin conversion services, and casino bonus exploitation kits.
| Product | Price (USD) | Details | Source |
| ATM Cloned Card ($15K balance) | $900 | Physical card, PIN included | Tor Amazon |
| VISA CC/CVV ($8K balance) | $400 | Virtual card with full details | Tor Amazon |
| PayPal $7K Verified Transfer | $600 (sale from $700) | Within 20 minutes worldwide | Tor Market |
| Visa Prepaid Clone ($7.5K) | $630 (sale from $750) | Physical + online usable | Tor Market |
| Binance Account Transfer | $300 – $500 | BTC/ETH/USDT transfers | Tor Amazon |
| Paxful Accounts ($5.5K) | $250 – $400 | Guaranteed balance | Tor Amazon |
| Casino Bonus Exploit | $150 – $350 | $3K-$10K bonus exploitation | Tor Amazon |
| Bank Flash SQR Tool | $800 (sale from $1,500) | Bank manipulation software | Tor Amazon |
| Aviator Predictor Hack AI | $400 | Casino/gambling exploit tool | Tor Amazon |
| Gold Bars 100g (Pre-Owned) | $8,500 | Physical delivery, escrow | Tor Amazon |
Forged Documents and Credentials
Forged documents ranged from academic credentials (diplomas, degrees, professional certificates) to government-issued identity documents. Tor Market listed a dedicated Documents category with 4 products, while Tor Amazon carried a broader selection under their Documents department. The “USA Documents” product on Tor Amazon was rated 4.85 out of 5 and priced between $600 and $3,500, covering various forms of US identification.
| Product | Price Range (USD) | Notes | Source |
| USA Identity Documents (ID Card) | $600 – $3,500 | Multiple ID types available | Tor Amazon |
| Forged Diploma/Degree | $200 – $800 | Various institutions | Multiple markets |
| Professional Certificates | $150 – $500 | IT, medical, trade certs | Multiple markets |
| Counterfeit COVID Certificates | $50 – $150 | Declining demand | Forum listings |
| Deepfake Service | $100 – $500 | Video/image manipulation | Tor directories |
The breadth of these offerings paints a picture of a mature underground economy that mirrors, and in some ways parodies, legitimate commerce. Marketplaces offer escrow protection, customer reviews, vendor ratings, return policies, and even promotional sales events. Tor Amazon, for example, displays a running shopping cart total (one snapshot showed a cart worth $154,514), tracks “verified sellers” with sales counts, and runs sale pricing on multiple products. This operational maturity makes these platforms resilient and, from a threat intelligence perspective, worth continuous monitoring.
Pricing Comparison: 2022 vs 2026
The table below compares our 2022 findings with the current 2026 data across key categories. Prices are typical midpoint values.
| Category | 2022 Average | 2026 Average | Trend |
| Credit card with CVV | $243 | $15 – $40 | Decreased (oversupply) |
| Counterfeit currency (per $1K) | $396 | $350 – $450 | Stable |
| DDoS service (monthly) | $382 | $200 – $500 | Decreased (commoditised) |
| Residential proxy (monthly) | $645 | $200 – $645 | Wider range, lower entry |
| Initial network access | $7,700 | $2,000 – $5,000 | Decreased (median) |
| Ransomware kit | N/A | $500 – $5,000 | New category tracked |
| Crypto drainer kit | N/A | $200 – $1,000 | New category |
| Stealer log subscription | N/A | $100 – $1,024/mo | New category |
| AI criminal tools | N/A | $200 – $1,700/mo | New category |
| Cocaine (per gram) | $150 – $300 | $50 – $80 | Decreased (dark web discount) |
| Crystal Meth (per gram) | $50 – $100 | $10 – $15 | Decreased significantly |
| Heroin (per gram) | $100 – $200 | $22 – $55 | Decreased (direct sourcing) |
| Handgun (Glock 17) | $1,500 – $2,500 | $450 – $500 | Decreased (high scam risk) |
| Stolen BTC Wallet | N/A | $4,000 – $59,900 | New category |
| Forged ID Documents (US) | $250 – $1,000 | $600 – $3,500 | Increased (quality premium) |
The overarching trend is clear: established product categories have become cheaper as supply has increased, while new, more sophisticated offerings (RaaS, drainers, AI tools) have emerged at premium price points. The dark web economy is following the same pattern as legitimate tech markets, with commodity products racing to the bottom while innovation commands a premium.
Key Takeaways
The barrier to entry keeps falling. DDoS attacks for $10, phishing kits for $50, stolen accounts for a few dollars. The tools for cybercrime are cheaper and more accessible than ever. This has direct implications for the volume of attacks organisations should expect to face.
Stealer logs are the new oil. The stealer log economy has grown enormously. These logs, harvested from malware infections on individual machines, contain browser-saved passwords, session cookies, crypto wallet data, and more. They feed almost every other category: account takeover, initial access brokering, financial fraud, and identity theft.
Ransomware is a mature industry. With over 100 active groups tracked on our platform and well-established affiliate models, ransomware has moved from being an emerging threat to a structural feature of the threat landscape. The supply chain (IABs to RaaS operators to affiliates to money launderers) is well-oiled and efficient.
AI is an accelerant. While AI has not yet created fundamentally new attack types, it is making existing attacks more effective, more scalable, and more convincing. The appearance of AI-enabled tools as a distinct product category on the dark web is a development every security team should be tracking.
Crypto is the preferred battlefield. The emergence of crypto drainers as a major product category, combined with the growth in compromised exchange accounts, tells us that cryptocurrency users and platforms are now firmly in the crosshairs. The pseudonymous nature of crypto transactions makes this an attractive and growing target.
Drug marketplaces operate like professional retailers. The dark web drug economy has reached a level of operational maturity that mirrors legitimate e-commerce. Escrow, customer reviews, next-day delivery, volume discounts, lab-testing claims, and refund policies are now standard. Prices have dropped significantly compared to street equivalents, reflecting the efficiency of direct vendor-to-buyer models that bypass traditional distribution chains.
Firearms listings persist despite high scam risk. While firearms are consistently available on dark web marketplaces, this category carries the highest scam risk and is a known target for law enforcement honeypot operations. The listed prices (30% to 60% below retail) reflect this risk. The intelligence value here is less about the prices themselves and more about the persistent demand signal from individuals seeking to acquire weapons outside regulated channels.
The dark web is a one-stop shop. Multi-category marketplaces like Tor Market (drugs, firearms, counterfeits, hacking tools, documents, and financial fraud under one roof) and Tor Amazon (hacking, financial, electronics, documents, drugs, and guns) demonstrate that the underground economy has consolidated. A single marketplace visit can service everything from identity theft to substance procurement to weapon acquisition. This consolidation has implications for law enforcement, intelligence analysts, and risk modelling.
Don’t miss out!
Webinar: 2026 Dark Web Pricing Report
Conclusion
The dark web economy in 2026 is bigger, more diverse, and more sophisticated than it was in 2022. Prices for commodity products have dropped while new, higher-value categories have emerged. The professionalism of threat actors continues to increase, with customer support, affiliate programmes, and quality guarantees now standard across many marketplaces.
What has changed most since our 2022 report is the breadth. The dark web is no longer just a marketplace for stolen data and hacking tools. It is a fully integrated underground economy spanning narcotics, firearms, counterfeit goods, identity documents, cryptocurrency fraud, and digital services. Multi-category marketplaces have consolidated these offerings under single platforms, complete with escrow systems, vendor ratings, and promotional campaigns that would not look out of place on a legitimate e-commerce site.
For defenders and intelligence professionals, the key takeaway is that the cost of attacking your organisation, or acquiring the tools to do so, is low and getting lower. The investment needed to mount a credible phishing campaign, launch a DDoS attack, purchase a weapon, or obtain fraudulent identity documents is trivial compared to the potential payoff. This asymmetry is the fundamental challenge, and understanding the economics of the dark web is essential to building effective defences and informing policy.
At SOS Intelligence, we monitor these marketplaces continuously so our customers do not have to. Our DARKSEARCH platform indexes content across 50+ active dark web sources, and our analysts track emerging threats, new marketplace activity, and pricing trends in real time. If you want to understand what is being said about your organisation on the dark web, or if you need intelligence on any of the categories covered in this report, our platform gives you that visibility.
Passport photo by Kit (formerly ConvertKit) on Unsplash
Crypto Photo by Pierre Borthiry – Peiobty on Unsplash
Drugs photo by Colin Davis on Unsplash
Money hoto by Dmytro Glazunov on Unsplash
Recent Comments