Are you a convicted felon who has dreams of traveling abroad? Or a cybercriminal looking to set up a legitimate bank account into which you can deposit your ill-gotten funds? Then buying a passport off the dark web is an option that you should consider!
But while in the past forged or stolen passports would fetch a hefty sum on the black market, thanks to the modern marvel that is the dark web, prices have fallen significantly. Last month, Comparitech analyzed listings on a handful of illicit marketplaces to try and determine exactly how much a passport or passport scan can fetch in the seediest corners of the Internet. Their analysts scoured marketplaces like Dream Market, Berlusconi Market, Wall Street Market and Tochka Free Market, among others.
During their search, they discovered that passport scans, which are often enough for a scammer or criminal to set up a bank account in another person’s name, can be purchased for as little as $15. For slightly more, an aspiring criminal can purchase a passport and drivers license scan – which would be enough to open an account on a cryptocurrency exchange or – better yet – hack into the account of an unsuspecting trader by exploiting password recovery tools.
However, real passports still fetch a hefty sum, and even forgeries can be prohibitively expensive for some.
Here are Comparitech’s key findings:
- The average price of a digital passport scan is $14.71.
- If proof of address or proof of identification —a selfie, utility bill and/or driver’s license—is added to a passport scan, the average price jumps to $61.27.
- Australian passport scans were the most common, and yet, the most expensive ($32).
- The average price of a real, physical passport is $13,567.
- The average price of a counterfeit, physical passport is $1,478.
Real or forged, passport scans are typically accompanied by other forms of identification – a utility bill, selfie of the ID card owner holding up their ID or a driver’s license. But they cost significantly more than the passport scan alone – often upwards of $60. But scammers get what they pay for: Because multiple forms of ID are usually required to bypass proof-of-address and proof-of-identification controls on websites. But if a user has one, they can seize control of the account of another individual, assuming the documents are in the correct name.
The bulk of Comparitech’s analysis focused on digital scans and images of real passports. The site’s researchers found 48 unique listings for real passports scans, 38 of which were not sold with any accompanying proof of ID or address, spanning 20 countries. While they found no discernible pattern in pricing relative to supply or the power of the country’s passport, they did discover the Australian passports were the most common and the most expensive.
And while a wide range of vendors appeared to sell passport scans, only a small handful specialized in providing them.
Passports sold on the dark web came in a few forms:
- Editable Photoshop templates used for making fake passport scans. These cost very little and are available for almost any Western country. They make up the majority of marketplace listings when searching for “passport”.
- Digital passport scans. These real scans of actual passports cost around $10 each and are often sold in bulk. They are available for several countries and are fairly common.
- Physical passport forgeries. We found listings for counterfeit passport forgeries for a handful of European countries. They typically cost north of $1,000.
- Real, physical passports. These are the real deal (according to the listing), so they are not common nor cheap. Most of them cost more than $12,000.
Dark web vendors accept payment exclusively in cryptocurrency, typically Bitcoin or Monero. (all pricings in Comparitech’s research were based on conversion rates on Sept. 24 and Sept. 25).
Most of the physical passports that Comparitech found for sale on the dark web were from European countries, with physical passports coming in two forms: genuine and forgeries. They can be used in fraud-related crimes as well as illegal immigration, human trafficking, and smuggling.
Authentic passports from Europe are hard to come by and cost a lot, with prices ranging from $8,216 for a German passport to $17,116 for the UK.
Forgeries are about one-tenth the price of real ones – but they still cost in excess of $1,000.
Criminals who purchase passport scans typically target one of three venues for fraud-related crimes: cryptocurrency exchanges, payment systems, and betting websites.
Here’s an example of how a passport scan might be used in an account recovery scam (summary courtesy of Comparitech):
- The target has an account with a cryptocurrency exchange. They’ve set up two-factor authentication on their account, so a code is sent to an app on their phone to verify logins.
- Through some other means, the scammer steals the user’s password (perhaps through phishing or a data breach). But because 2FA is enabled on the account, they can’t get in.
- Instead, the scammer poses as the victim and approaches the cryptocurrency exchange, saying they’ve lost access to their phone and cannot get the authentication PIN, and thus cannot log in.
- The cryptocurrency exchange requests the account holder send a scan of their ID to prove their identity before resetting the 2FA on the account. In many cases, companies will require the person take a selfie while holding the ID, hence the higher price for passport scans with selfies.
- The scammer modifies the scans from the dark web as necessary to match the victim’s personal details, then sends it to the exchange, still posing as the victim.
- Upon receipt of proof of identity, the cryptocurrency exchange resets or removes the 2FA on the account, allowing the hacker to access and drain the victim’s crypto assets. Hackers routinely change the passwords and email addresses associated with accounts to make it harder for the account owner to regain control.
Cryptocurrency exchanges and individual wallets are becoming popular targets, with more than $1 billion in crypto stolen last year. And as cryptos become more widely adopted, this type of fraud is only going to spread.