The Hidden Hand of the Hacker Market

Unprecedented trends of data breaches reflect a more fundamental shift in the underground criminal market.

Over the past 12 months  breaches grew more frequent than ever previously recorded. The hackers behind data breaches stole record-breaking numbers of login credentials. Hackers increasingly used more stolen credentials to carry out new hacks leading to new data breaches.

This article explores these and other trends related to data breaches, the underlying factors driving these trends, and what to expect in the near future.

Stolen credentials now have a bigger role than ever before in the process of enabling hackers to steal data. The portion of the sum total of data breaches that were caused by hackers using stolen credentials increased from 41% in 2021 to 47% in 2022, according to the 2023 Data Breach Investigations Report (DBIR) by Verizon. And then in turn, data breaches were exposing more and more credentials stolen by hackers. Per the report, stolen credentials made up nearly 50% of confidential data exposed in 2022 data breaches. That percentage is the highest recorded to date. (Note that when referring to the year 2022, the DBIR is referring to the period from November 1st, 2021 to October 31st, 2022.)

The growth in stolen credentials is not a fluke, the number of annual “credential spill incidents” nearly doubled between 2016 and 2020, according to the F5 Labs 2021 Credential Stuffing Report.

So what do malicious actors do with stolen credentials? Sell them.

There is a large marketplace for selling stolen credentials on the dark web, according to Recorded Future’s 2022 Annual Report. The report highlights that while hackers have traditionally made money from their intrusions through ransomware attacks, they are increasingly turning to selling stolen credentials instead. This could explain why ransomware payments decreased by nearly 60% from 2021 to 2022.

Credentials are very popular in the underground market. Per Spy Cloud’s Identity Exposure Report, stolen credentials have become the most valued and sought after data on the dark web. The buyers are often people that intend to use credentials for the purpose of hacking, especially credential stuffing attacks.

Credential Stuffing

Credential Stuffing” (CS) refers to an intrusion method that takes lists of stolen credentials and uses them in large-scale automated login requests. Hackers are relying on the idea that people are reusing the same usernames and passwords when they set up multiple accounts.

CS as a technique is on the rise. For example, the American identity and access management company OKTA reported that its records showed credential stuffing attacks were responsible for 34% of observed login attempts that were observed by the company.

In addition, F5 Labs identified access-based attacks such as CS as the number one attack method leading to data breaches.

CS attacks were used in several of the biggest data breaches in 2023, such as Paypal, Chick-fil-A, and United Healthcare.

The rise in CS attacks is particularly relevant to the rise in data breaches given that F5 Labs identified access-based attacks like CS as the number one attack method leading to data breaches.

CS attacks are on the rise compared to other hacking methods likely because they have become cheap.

Related:   Supply Chain Cybersecurity Will Be a Leading Concern in 2023

F5 Labs’ 2022 report highlighted that CS had become “incredibly easy and inexpensive.” The report pointed out that on the underground market it costs less than $200 to pay for a CS attack  that includes 100,000 Account Takeover attempts.

“Account Takeover” is when a malicious actor will use compromised credentials to log into a victim’s personal account.

The Role of the Market

CS attacks are becoming cheaper likely because of a structural shift in how the underground market facilitates hacks.

Criminals are increasingly specializing in certain skills and selling their services freelance. This means that you have the same process behind a hack but different people are doing different parts.

For example, Initial Access Brokers (IABs) gain entry to companies or other targets and then sell that access. According to a recent article on DarkReading by Eric Clay, VP of Marketing at Flare Inc., IABs will post listings of their access for sale. A common IAB listing on the market includes product descriptions such as the number of devices compromised, industry of a victim company, number of employees, and geographic location of the victim.

Hackers do not need to learn the skills to gain access to the victim because they can outsource to IABs. The growing market enables a wide variety of specialists to sell their hacking-related services.


To wrap up, in the underground market selling creds is growing more profitable and CS attacks are cheaper and more accessible than ever before. These factors are linked to recent data breach trends with hackers stealing and using more creds and CS attacks on the rise.

There are still more questions to answer. For example, if stolen creds are more expensive to purchase, then why are CS attacks cheaper? (A topic that is beyond the scope of this article)

What is known for certain is that the market enables the sale and purchase of credentials while also enabling hackers to carry out successful attacks.

More studies are needed to determine the causes and effects of these trends and the direct influence of the market. In the meantime, the existing research strongly suggests that the underground market has played a pivotal role in recent data breach developments.

As long as the underground market is able to flourish we can expect these data breach trends to continue.

Tom Caliendo is a cybersecurity journalist focused on emerging technologies and threat vulnerabilities.

Tom is the author of The OSINT Guide and Co-Founder of the research and literary firm Brockett Consulting.


Formerly a private investigator, Tom has over 20 years of experience as a security consultant and is a specialist in cryptocurrency investigation.

Leave a Reply

Your email address will not be published. Required fields are marked *