How strong identity controls can shut down low-cost dark web services

Judging by recent Thanksgiving dinner table conversations, layfolk imagine cybercrime as something exotic: solitary geniuses in hooded loungewear, typing furiously away in dimly lit basements. Mr. Robot has a lot to answer for. The truth, however, can be far more mundane and far more dangerous. Almost every common attack can be bought as a service now, and usually for less Bitcoin than an artisanal burger. The dark web is a labyrinthine marketplace offering stolen credentials, access to corporate networks, ready-made ransomware kits, DDoS firepower, phishing platforms, and even full “attacker-for-hire” operations.

It’s cheap. It’s scalable. And it works because too many organizations leave the door half open.

Understanding this economy helps us defend against it. The goal isn’t to stop criminals from buying the tools. You can’t. The goal is to make sure that when they try to use them against your organization, it’s a complete waste of their time and money.

At irregular intervals, as a cybersecurity writer, I boot up Tor and take to the onion sites to see what attackers can buy today. Partially for work and partially because it makes me feel like "Zero Cool" in Hackers, I look at why it’s so cheap, and consider how a smarter access-control strategy can undermine the return on investment that keeps this whole nefarious ecosystem alive.

The Dark Web Shopping List

Commodity credentials

The commodity end of the market is overflowing with stolen logins. Email accounts, SaaS apps, cloud consoles, social media, and developer accounts; all there for a few dollars each. Prices stay low because breached data is everywhere and constantly refreshed.

Attackers love this because credentials are the easiest entry point into a business. They don’t need to hack your firewall. They just need working usernames and passwords that get them inside long enough to pivot.

Payment cards and financial access

Card data sells in the $5–$100 range depending on freshness, region, and completeness. Bank and fintech logins cost more, especially if the seller guarantees a minimum balance. But even then, the prices rarely reach a level that would deter a motivated attacker. These datasets often serve a dual purpose: direct fraud and identity synthesis for further attacks.

DDoS-as-a-Service

A twenty-note subscription can buy an afternoon of disruption. These “stressers” are marketed as testing tools but used overwhelmingly for extortion, retaliation, or simple chaos. You don’t need skill; you just need a PayPal proxy.

Ransomware-as-a-Service

The sophisticated end of the underground is built on franchise models. Developers create the ransomware; affiliates get the infections. Some operators charge a modest subscription fee, some take a percentage of each ransom. There’s documentation, support tickets, changelogs, and onboarding instructions that look disturbingly like legitimate SaaS platforms.

When a criminal can rent a full attack chain for less than the price of an annual domain registration, the barrier to entry collapses.

Phishing kits and PhaaS platforms

Everything needed to impersonate your cloud login page or HR system can be bought for a few dollars. A malicious actor gets templates, hosting, scripts that bypass MFA, and sometimes pre-written lure emails. For a bigger spend, they can outsource the entire campaign.

These are the wholesalers of compromise. They sell footholds into real companies, usually obtained through RDP/VPN credentials, infostealers, misconfigured cloud access, or unpatched endpoints. Prices vary wildly: tens of dollars for a small business, tens of thousands for privileged corporate access.

Modern ransomware groups often rely entirely on brokers rather than performing their own initial intrusion. Why burn an exploit when someone will sell you a working login?

The Real Problem: It’s Not the Tools, It’s the Access

Everything on this list has a common dependency: it only works if the attacker can turn purchased access into meaningful privilege.

If a stolen credential doesn’t come with the entitlements to move laterally, escalate, or reach sensitive systems, it’s worthless.

If a VPN login points to a locked-down identity that requires a specific time window to exploit, it’s worthless.

Suppose an IAB sells a cloud admin account, but your environment ties every action to verifiable identity and time-boxed approval flows. In that case, that access becomes noisy, traceable, and automatically shut down: worthless.

Criminal services are profitable because organizations still tolerate broad, persistent, unmonitored access. Reduce that access, and you gut the dark-web business model.

How to Break the Attackers’ ROI

You don’t have to outspend the criminals. You just have to outsmart their assumptions. No, it won’t stop a DDoS attack, that’s why we have cloud mitigation services and rate limiting, but it will protect the crown corporate jewels. 

1. Replace standing privilege with just-in-time access

Attackers rely on persistence. If they buy or steal a credential today, they expect that credential to be useful next week. JIT (just-in-time access) flips the table: users get privilege only when they need it, for minutes or hours, not weeks or years, or forgotten.

If access isn’t persistent, most stolen credentials simply expire into uselessness.

2. Track every identity, human and machine, in a single inventory

Half of the credentials being sold today belong to service accounts, abandoned projects, non-human identities, or shadow IT. If you don’t know an identity exists, you can’t protect it. A clean, continuously updated identity inventory removes the forgotten footholds attackers hold so dear.

3. Revoke privilege proactively

If you can remove unused access automatically, you lower privilege creep and shrink the blast radius of any single compromise. Criminals hate short windows; it kills their ability to move laterally. Proactive privileged access management is critical.

So Why Does This Matter?

Cybercrime thrives because it’s cheap, automated, and low-risk for the attacker. The only reliable way to disrupt it is to make the path from “bought access” to “useful intrusion” painfully narrow. Strong identity governance, just-in-time permissions, rich context, and precise privilege boundaries do exactly that.

Dark-web menus will keep getting longer. The pricing will keep dropping. But if you take away the value of the access they’re selling, the entire economy collapses at your perimeter. Not because you blocked everything, but because you made every compromised credential effectively worthless.