The dark web, a marketplace for personal data

Individuals and organisations advised to remain vigilant and take necessary steps to protect themselves from data breaches

by AFIQ HANIF 

VERY few Malaysians are aware of the dark web, where their stolen personal data is being sold. 

Recent security statistics indicated a significant increase in personal data breaches and cyberattacks, with the Covid-19 pandemic contributing to the rise due to the widespread adoption of cloud-based platforms for remote workforces. 

Additionally, the rollout of 5G has led to more connected devices, further expanding the attack surface for hackers to exploit sensitive personal data. 

To make matters worse, research suggests that most companies fail to adequately protect their sensitive data or rely on ineffective traditional security approaches, leaving them vulnerable to cyberattacks. 

As a result, hackers can easily steal users’ personal data and use it to launch more dangerous attacks, or they can sell it on the dark web for huge profits. 

The Royal Malaysian Police reported a 15.3% increase in commercial crime cases in 2021, with the majority being fraud cases. According to the police, the total number of commercial crime cases reported in 2021 was 31,490, compared to 27,323 cases the previous year. 

Out of the total number of cases reported, fraud cases were the highest at 28,842, accounting for 91.6% of all commercial crime cases. 

This represents an increase of 16.1% from the 24,834 fraud cases reported in 2020. The most common type of fraud cases involved investment scams, online shopping scams and job scams. 

Secondly, 942 criminal breach of trust cases were reported in 2021, an increase of 7.2% from the 879 in 2020, followed by offences under the Moneylenders Act 1951 with 847 cases in 2021, representing an increase of 26.2% from the 671 cases reported the previous year. 

In fourth place are cyber-crimes with 400 cases reported in 2021, a 10.1% from the 363 cases reported in 2020. The most common cybercrime cases were phishing scams, identity theft and online harassment. 

The Dark Web 

This is an illegal online marketplace where vendors operate anonymously through unofficial or unauthorised channels to trade goods. 

Unlike the regular Internet, search engines do not index the dark web and users require unique browsers like Tor to access it. These browsers make it almost impossible to track users’ connections as they bounce through several relays. 

The black market for stolen personal information is thriving on the dark web, with varying prices depending on several factors like the type of data sold, the risks in obtaining it, how recent it is, the benefits it provides to buyers, its quality and accuracy, as well as supply and demand. 

According to reports on the dark web, cybercriminals added over 22 billion new records for sale in 2020 alone, indicating the black market’s growth. 

Vendors on the dark web make offers that parody traditional established markets, such as “buy four cloned credit cards and get two free!” 

Purchasing items on the dark web is primarily done through the use of Bitcoin (BTC). However, there has been a recent trend among unscrupulous web vendors who insist on payments made via Monero, coupled with communication through Pretty Good Privacy (PGP) encryption. 

This new approach to transactions enhances security and serves as an additional layer of protection against potential detection and tracking by law enforcement agencies. 

Azfar advises individuals and organisations to take necessary steps to protect themselves, including using strong passwords, enabling two-factor authentication and keeping softwares updated

Malaysia Cyber Internet Users Association general secretary Azfar Aza said based on a worldwide research study by Verizon, an annual data breach report showed that 86% of personal data breaches are driven by the pursuit of money. 

“The report also indicates that 55% of these breaches are carried out by organised criminal groups. 

“The amount of money these hackers can make from stealing personal information is staggering, making them a persistent threat to individuals and organisations,” he told The Malaysian Reserve (TMR). 

Azfar explained that after a hacker steals personal information, they typically organise it into a database, which can be monetised in various ways. 

“They can do this by using the information themselves. Hackers can make transactions or perpetrate fraud using the stolen data. 

“For example, they can withdraw money from a bank account, obtain new credit cards, make online purchases, borrow money from banks or friends and family, make fraudulent health insurance claims, or pay off their debts,” he said. 

Secondly, hackers profit from stolen personal data by selling it on the black market for thousands of ringgit. 

“Buyers can purchase the stolen data they are interested in and use it for malicious activities. Personally identifiable information such as names of breach victims, their ID numbers, home addresses and dates of birth can be used to make fraudulent transactions. 

“Buyers can also clone credit card numbers and security codes and use them for identity theft. For example, they can apply for loans in the victim’s name or file false tax reports. They can also use stolen emails in phishing attacks, social engineering tactics and distributed denial of service (DDoS) attacks,” he said. 

The ease with which hackers can monetise stolen personal information and the high demand for it makes it a persistent threat. 

Azfar advised individuals and organisations to remain vigilant and take necessary steps to protect themselves from data breaches. 

“This includes using strong passwords, enabling two-factor authentication and keeping software updated. 

“It is also important to monitor bank accounts and credit reports regularly, and immediately report any suspicious activity,” he said. 

The Scam Victims 

John (not real name) had always been cautious about online purchases and had never fallen for any scam until the day he decided to buy a new game online. 

He found a great deal on a popular gaming site which only accepted credit cards. He did not want to use his parents’ credit cards, so he searched for a virtual credit card that he could use for this one-time purchase. 

John stumbled upon a website that sold stolen credit card details and after some consideration, he decided to buy one. 

He thought he had struck gold when the credit card details he purchased worked seamlessly on the gaming site. He quickly made the purchase, and the gaming console was delivered to his doorstep a few days later. 

But little did John know that the owner of the stolen credit card had reported the fraudulent transaction to their bank. The bank, in turn, contacted law enforcement, who traced the transaction to John’s gaming account. 

A few weeks later, John received a call from the police, informing him that he had unknowingly used a stolen credit card and was now under investigation for fraud. 

He explained to the police that he had purchased the credit card details from a website, but they were not interested in hear- ing his side of the story. He was eventually charged in court for fraud. 

John learned a harsh lesson about the dangers of buying stolen credit card details. He ended up with a criminal record, a hefty fine and regret. 

Another fraud victim who requested anonymity said she saw a Facebook ad offering online trading. 

“An online trader who specialised in binary options, cryptocurrency and forex trading contacted me over the phone. 

“He claimed that his company was at the forefront of the industry, utilising cutting-edge technology and offering guaranteed returns,” she told TMR. 

Intrigued, she invested a few thousand dollars on the online platform, which appeared to be working seamlessly. 

“I could see my trades generating substantial profits and as a result, I invested more money at their urging, with promises of even greater returns. 

“However, when I attempted to withdraw my earnings, I was informed that I would need to pay taxes on my profits before being allowed access to them. 

“This was not something that I had been warned about previously, but I was told it was a necessary step. As I insisted on withdrawing my money, my trades began to fail and my profits began to dwindle,” she explained. 

The traders urged the victim to invest more money, claiming that increasing her trade volume would enable her to reverse the situation and they went as far as to describe the situation as an emergency. 

“I eventually realised that this was a scam when they started to pressure me to invest more money, despite the significant losses I had already sustained. 

“The scammers were incredibly convincing and appeared professional. They warned me that I would be removed from the market because my trades were failing and my investment had dwindled to just 3% of its original value. Ultimately, I understood that it was all a facade and that I had been swindled,” she added. 

A salesperson who wished to only be known as Amani had always been cautious with her personal information. She knew the risks of identity theft and made sure to keep her passwords strong and her credit card information safe. 

However, one day, she received a call from her bank’s fraud department informing her of suspicious activities on her account. 

“I was shocked. I’ve never shared my information with anyone and couldn’t understand how this could have happened. 

“The bank informed me that my credit card had been used to make several large purchases, including a new computer and gaming system. The charges added up to over RM5,000 and the purchases were made outside Malaysia,” she said. 

The bank discovered that Amani’s credit card information had been stolen from a data breach and sold on the dark web. She reported the fraud, but it was a long and difficult process to get her money back. 

From that day on, Amani signed up for credit monitoring services and made sure to keep her passwords updated and strong. 

Continuous Awareness Programme are Essential

CyberSecurity Malaysia CEO Datuk Dr Amiruddin Abdul Wahab said the financial sector is at a constant risk of cyberattacks worldwide. 

He explained that banks and investment firms are among the most vulnerable to cybercrimes due to the vast amounts of money and valuable data they handle daily. However, he reassured that banks and financial organisations rely on various security measures such as data encryption to protect their customers. 

Despite measures taken by institutions and corporations, Amiruddin expects cyber adversaries to continuously impersonate and leverage financial aid services through various scams to gain money

“In Malaysia, Bank Negara Malaysia (BNM) has developed guidelines and best practices for the banking industry to address cybersecurity incidents,” he said. 

Despite these measures, Amiruddin expected cyber adversaries to continuously impersonate and leverage financial aid services through various scams to gain money. 

“Continuous awareness programmes are essential for various entities in the financial sector to educate the public on the best practices of online banking,” he concluded.


  • This article first appeared in The Malaysian Reserve weekly print edition