How your entire identity could be sold for £30 on the dark web

British “identity packages”, including an ID scan, a selfie, and a dossier of personal data, can be purchased by criminals on the dark web for as little as £30, new research suggests.

As identity theft continues to rise, experts have discovered the sale of national identity documents, driving licences, credit card details and UK “frequent traveller” passports for £2,000. 

The information can be exploited in multiple ways and used to apply for credit cards, mortgages, car loans, or to open bank accounts.

AMLTRIX, a group of anti-money laundering experts, analysed 25 active dark web marketplaces in early December last year, uncovering the many ways in which Britons’ stolen data is being used. 

open image in gallery

Its co-founder, Gabrielius Erikas Bilkstys, said: “A full identity pack with ID scan and selfie is now cheap enough and accessible for criminals to buy in bulk, and if that is not enough, the dark web offers other, more reliable, although more expensive options.

“That reflects how often the same personal data is stolen and resold, and how industrialised this market has become.”

open image in gallery

Some of the highest-value items were KYC-verified UK business bank accounts, ranging from £900 to £2,000. Accounts at major banks such as NatWest and Barclays were at the upper end of this range, according to AMLTRIX.

A NatWest spokesperson said: “We take protecting our customers from financial crime extremely seriously, which is why we operate robust fraud and security systems and work with partners across the wider digital ecosystem.”

Barclays has been contacted for comment.

The research also found hacked UK Amazon accounts listed at an average of £15, while login details for subscription services such as Netflix were going for around £10.

Counterfeit Bank of England banknotes were also being sold, typically going for around 25 to 35 per cent of their face value. Some vendors claimed that their notes pass UV light checks and offered low-value sample orders as proof of quality. 

While in many cases, the data being sold was legitimate, AMLTRIX also noted that there were several instances of scams.

open image in gallery

Once the data is online, the same identity can be repeatedly used to commit identity theft. Often, the original victim will be unaware until debt collectors or law enforcement become involved, AMLTRIX said. 

Mr Bilkstys said that for organisations, one of the key misunderstandings was seeing the dark web as a completely separate world. “Many organisations still think of the dark web as a distant, exotic threat. 

“In reality, it is tightly connected to everyday phishing campaigns, large data breaches, account takeovers, and money laundering cases that compliance teams are already dealing with.”

UK fraud prevention service Cifas found that there were more than 118,000 cases of identity fraud recorded between January and June last year. 

open image in gallery

David Wall, a cyber crime expert at the University of Leeds, said: “The problem exists at two levels. [Firstly], data of the individual who can fall victim to financial loss, this happens through account takeover, or more likely being defrauded via a phone call pretending to be from the victim’s own bank. The other level accesses data at the organisational level.”

In 2024, 43 per cent of UK businesses reported experiencing a cybersecurity breach or attack, according to the Department for Science, Innovation and Technology (DSIT). 

Criminals will gather this data and process in to packages to be sold on to other criminals, Mr Wall said. “Some data sets are scams where one group of crooks try to scam another, but others are the real thing and provide initial access to organisations.

“This is very concerning as they have contributed to some of the larger cyber, mainly ransomware, attacks experienced by most Western countries in recent years.”