The destination of data stolen by cybercriminals

Stolen data is emerging as a new online business where criminals can use personal information to further their crimes by simply buying and selling it


Online data theft crime has been a common problem for several years now. In 2020 alone, coinciding with the COVID-19 pandemic and the subsequent home quarantine, hackers stole more data in a single year than in the previous four years. The exponential increase in internet usage along with the resulting online shopping led users to expose their private and banking data to cyber networks, which were sometimes unsecured and suffered from various breaches that hackers have exploited to execute data thefts.

Often, social misinformation and the lack of education of the general population on these issues means that we expose our data normally on websites that may be vulnerable, or we fall into the trap of an email containing spam or phishing. Once we have been victims of the crime and we have reported it, the pertinent question is what happens to the data that has been stolen, an issue that often raises concern but that, on many other occasions, we do not give it the importance it deserves due to general ignorance.


The reality is that the final destination of the stolen data depends on who carried out the cybercrime. For example, when hackers proceed to steal data from an organisation, person or company with the intention of "embarrassing" and showing how easily they have committed the theft, as well as displaying information that could be of general interest, hackers tend to spread the relevant data across the internet and make it public. This would be the case of the different groups and individuals who steal data under the well-known pseudonym of Anonymous trying to expose the data of people who have committed alleged crimes so that society knows about them.

However, when the thefts are committed for the simple purpose of stealing bank details or identity numbers, some data may end up on the Deep Web for sale. Cyber security experts say that hackers often target personal information and financial data for theft because they are so easy to sell. Alongside this, in recent years health data has become another target for theft in order to carry out extortion operations. An example of this is a Finnish company specialising in psychotherapy that suffered a theft of private patient data that was used to blackmail the company and demand a ransom. At other times the stolen data may simply remain in the hacker's possession.


Other times, when data theft is executed by governments, it is not disclosed or shown in the public domain as it is often used for espionage. One example is the attack on the hotel company Marriott after it was the victim of a massive data breach in 2018 that stole personal information on 500 million guests. Investigations suggested that the hacks were carried out by Chinese hackers with the backing of their government. According to enquiries, the stolen data were intelligence-gathering efforts on Western government officials.

The most common way to buy data is through bitcoins, a virtual currency that is decentralised, so there is no authority or control body responsible for issuing it or registering its movements. On the other hand, prices vary depending on the quality and importance of the stolen data and the volume of demand for it. Groups of email addresses can fetch several million dollars, while others can be sold for as little as 10 dollars. On the other hand, voter data is sold in different US states for $100.


Buyers then use the data to use credit card numbers along with security codes to clone cards that can be used for fraud while other data such as home address, social security number, names or dates of birth are used to commit further theft crimes.

Specialised security reports state that 86% of these operations are related to money theft while 55% of the data are committed by organised crime groups. According to the Associated Press, hackers have published at least 300 of these records. Interestingly, on several occasions, the stolen personal information itself is used by marketing companies or companies that specialise in running spam campaigns. In addition, the same data buyers may employ the use of emails to commit phishing crimes and spread malware, which would be known as malicious software, a virus designed to infiltrate electronic devices and damage the computer system.


In 2020, reports of this type of crime increased by 313% in Spain, according to the National Police, while web-based scams increased by 161%, demonstrating the growing escalation in the rise of cybercrime.

The seriousness of what happens with usurped data highlights the need to improve and reinforce the measures that users must take to avoid falling victim to these infringements. Before making any online purchase, cybersecurity experts recommend reading the agreements and product information or policies, as well as avoiding being lured by random offers that prevent you from completing your details or that encourage you to rush the payment due to "the expiry of the offer". Similarly, they advise you to open emails that you know the origin of, avoiding those that you are unsure of, and to delete them.