Cybercriminals are turning stolen data into a thriving black market

Cybercriminals are stealing data and running full-scale businesses around it. Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) report reveals how personal data is now a core currency in the underground economy.

Data is the product

Cybercriminals go after everything from login credentials to credit card numbers, medical records, and social media accounts. The data criminals collect helps them access accounts, impersonate users, or sell that access to others. Europol stresses that access to an account is often the first step in a wider attack. Once inside, attackers can move laterally through a network, steal more data, and carry out scams using the victim’s identity.

Social engineering just got a boost

Much of this access starts with tricking people. Social engineering tactics, like phishing emails and fake websites, are still widely used. But now, LLMs and GenAI are making these tactics more convincing. AI-generated messages can mimic writing styles and local language quirks, making them harder to spot. According to the report, phishing messages created by LLMs have a higher success rate than those written by humans.

AI is also being used to scale up operations. For example, offenders can use chatbots and synthetic media to target many victims at once, in multiple languages. Voice deepfakes are being used in business email compromise scams to trick employees into handing over money or credentials.

Malware is everywhere

Once someone clicks a link or downloads a file, malware does the rest. Infostealers are a type of malware designed to extract personal data from infected devices, such as usernames, passwords, and browser history. One such tool, Lumma, infected over 394,000 Windows devices worldwide before being taken down by law enforcement in 2025.

Criminals distribute infostealers using phishing emails, search ads, and even app stores. Some campaigns use fake popups, known as “ClickFix” traps, that trick users into running malware on their own machines.

Selling access is big business

Initial access brokers (IABs) specialize in selling entry points to compromised systems. These brokers often use phishing or exploit software vulnerabilities to gain access. They then resell those credentials to other criminals, such as ransomware gangs.

The market for this kind of access is growing fast. Europol cites CrowdStrike research showing a 50% increase in advertised access prices in 2024. Criminals are also selling stolen credentials in bulk on marketplaces like Russian Market or through encrypted messaging apps.

Once sold, access can be reused. Europol warns that different attackers may exploit the same breach, increasing the damage for victims.

Data marketplaces thrive underground

Data breaches are often followed by sales on dark web forums or encrypted platforms. These markets host everything from login credentials and stolen IDs to phishing kits and malware subscriptions.

Some sites, like BreachForums or the recently dismantled Nulled and Cracked forums, became huge hubs. Nulled alone had over five million users. Many of these platforms rely on reputation systems, badges, and peer reviews. This helps criminals build trust and carry out business without getting caught.

As law enforcement takes down major forums, smaller, more specialized channels are popping up. Encrypted apps make it harder for authorities to track these activities.

AI opens new attack paths

Besides improving phishing, criminals are using AI to create fake identities, forge digital fingerprints, and bypass security checks. They also exploit vulnerabilities created by AI itself. One tactic, called “slopsquatting,” involves tricking AI code assistants into suggesting fake software libraries. Attackers then create malicious packages with those names and upload them to public repositories. Developers who trust the AI suggestions may end up installing malware into their own systems.