Download free DLP for AI whitepaper


  • Buying stolen data on the dark web is as easy as 1, 2, 3. All you need is an internet connection, a special browser, and some bitcoin. 
  • We’re not advocating you buy data on the dark web, but how simple it is to do demonstrates the importance of a strong security posture.
  • Put a strategy in place for identity and access management to ensure cyber criminals can’t successfully exploit any leaked or stolen employee data.
  • Use data loss prevention (DLP) solutions to protect against future data breaches. 


Chances are, you’ve heard of the Dark Web. Often likened to the digital underbelly of the world, it’s a place that’s full of nefarious deeds. Drug sales, illegal weapons, hacking tools and stolen data are all up for grabs in its online marketplaces. 

However, it’s not easy to find. The Dark Web is invisible to common search engines like Google. Accessing it requires thorough planning, effort and determination. 

Plus, even once you access the Dark Web, finding what you’re looking for will take even longer. It’s a labyrinth of websites and search engines. Chances are, unless you know someone already in the game, then you may feel like you’re lost in a maze.

For the purpose of this article, we’re going to take a look at the process of buying stolen data on the Dark Web. Of course, we don’t recommend any criminal activities. This is more to show you, as a business leader, exactly what could happen to your company’s data if it’s stolen. 

Let’s take a look – step by step. 

Four steps to buying data on the dark web
  1. Get the right browser

Google Chrome won’t get you very far in your quest to reach the Dark Web. What you need is a specialist browser called Tor. Tor is anonymized. It routes web page requests through a number of proxy servers to keep IP addresses hidden and untraceable. 

While this is great from an anonymity standpoint, the sheer amount of server requests creates a slow and frustrating end-user experience. This means you’ll need patience and quite a bit of time to make the most out of using Tor. 

2. Buy some bitcoin

According to research from Privacy Affairs, you need roughly $1,010 to bag enough personal data to steal someone’s identity. But, there’s a catch. The Dark Web doesn’t do bank transfers. You’ll need some bitcoins

The reason for bitcoins’ popularity is twofold. Firstly, its blockchain ledger creates trust, building an immutable record of transactions that prevents fraud and enforces authenticity. Secondly, bitcoins’ decentralized nature also enables privacy and security, so that shady deals can be carried out without a trace. 

3. Start your research

Once you’ve purchased your bitcoin, and you’re logged on to Tor, it’s time to start digging. The Dark Web does offer search engines, but their calibre can’t be likened to Google. CSO Magazine, in a review of Dark Web functionality, alleges that these search engines are clunky, “repetitive and often irrelevant to the query.”

Luckily for you, we’ve done a bit of digging into popular Dark Web marketplaces, which will save you some time trawling through Google’s dark counterpart. Popular e-commerce sites that come up again and again include White House Market, DarkFox Market and Vice City Market. Remember, you’ll need to use the Tor browser to access them.

Interestingly, you’ll notice these websites don’t use .com or .org – they use .onion. This is “a special-use top level domain suffix designating an anonymous hidden service reachable via the Tor network,” says Wikipedia. As you’ll see, the URL’s are often difficult to remember, too, due to the use of scrambling technology – all designed to make Dark Web sites hard to find and take down if you’re part of law enforcement. 

4. Get shopping 

You’ll likely be pleasantly surprised by the interfaces of these websites. Many are just like Amazon, with simplified store-fronts, images and search query options, which make it easy to find the product you’re looking for.

In this instance, you’re looking for sensitive, personal data: medical records, financial details, names, dates of birth, passwords and addresses. At this point, it’s worth reminding you of the value of this data. It can be divided into buckets: immediate gain and long-term strategy. Immediate gain takes the form of using financial details and personal information for blackmail or to commit fraud – for example, impersonating an individual to their bank. 

Long-term strategy involves harvesting personal details for use in a more sophisticated attack, such as phishing or logging into someone’s work email and deploying ransomware. What you want to achieve will dictate what data you buy. 

Usually, you’ll find that data is sold in ‘dumps’. This means you don’t pay for an individual’s personal details, you pay for the data of hundreds or thousands of people. If you’re curious, you could even try typing your own name or address into one of those websites and see what comes up. As these reporters found in 2019, you’ll likely be disturbed by how many times your details appear on the dark web. 

How do you prevent your data from landing on the dark web?

Assuming that you aren’t a burgeoning cyber-criminal, it’s likely that the simplicity of accessing the dark web scares you – particularly when you think that you or your company’s data might be up for grabs in it. 

Thankfully, there are the tools out there to protect against these instances. The most important thing to do is to protect your sensitive data using cloud-based data loss prevention (DLP). In the hybrid working environment, it’s difficult to authenticate employees when they are working remotely. By using privileged access tools, combined with DLP, you can ensure that only verified, trusted individuals have access to your data. 

Secondly, your security tools should be backed up with awareness and training. Many data theft incidents start with a phishing email, aimed at downloading malware onto the user’s device. Modern training solutions integrate into employees’ daily workflow using nudge techniques. These flag suspicious emails, prompt employees to check their actions before sharing sensitive documents and more. 

Ultimately, while the Dark Web isn’t going anywhere, this doesn’t mean your data needs to end up on it. By taking a proactive stance to protecting data, and not burying your head in the sand about this threat, you can stay one step ahead of cyber criminals. 

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.