Identity Theft and the Underground Economy

IDWise Logo

In October 2013, Vietnamese national Hieu Minh Ngo was indicted on charges that he managed an international identity theft scheme. Ngo is the creator of a website called, which lets users search the Social Security numbers, birthdates, and other identity assets of millions of Americans. For a fee—funded by anonymous virtual currencies—users could purchase these assets and resell them again or use them to file fraudulent tax returns, apply for benefits, or drain bank accounts.

How did all of this sensitive information reach a site like Ngo's, and how did it remain undetected for nearly four years ( began operating in 2010)? The answer to the latter question is that Ngo's site operated on the Darknet, a shadowy corner of the Internet that few know about and even fewer can access.

Deep and Dark

The Darknet is a part of what's known as the Deep Web—a collection of non-indexed Internet sites. Non-indexed sites cannot be accessed via traditional search engines such as Google or Bing; basically, the sites located in the Deep Web are unavailable to the general public.

To access Darknet requires a browser known as The Onion Router (Tor). Tor provides users with the ability to privately communicate over public networks and to share information anonymously.

"There are legitimate uses for, and users of, Tor—for example, political dissidents use it to communicate anonymously in order to evade government reprisals," says Dr. Marie-Helen Maras, an associate professor at John Jay College of Criminal Justice in New York City. "However, Tor and Darknet have also been used to conduct illicit activities, such as the buying and selling of drugs; weapons; debit and credit card information; counterfeit documents; counterfeit money; child pornography; copyrighted materials; and malicious software and hacking services."

"Cybercrime as a Service"

Maras, who is John Jay's deputy chair in the digital forensics and cybersecurity program as well as a graduate faculty member, points out that the nature of the Darknet makes it difficult to measure the extent of illicit activities that occur there. But Walt Manning, a cybersecurity consultant in Green Cove Springs, Florida, and a former police lieutenant, says that pay-for-information sites like are likely all too common.

"[Hackers on the Darknet] are doing what I call 'cybercrime as a service,'" he says. "They're in it for the money, because there are a tremendous number of buyers—other hackers, or even governments."

And that money is easier and easier to make, Manning says, in this age of ultra-connectedness. "We're giving all kinds of information away without realizing the risks," he says. "For example, Facebook has started tracking a user's Internet activity no matter where they go on the Web. As all of that information is collected and collated, the profiles get more complete and the databases get more detailed—and the more that information is bought and sold, the odds of it getting into the wrong hands grows."

According to Manning, the underground transfer of this information can't be compared to a traditional supply chain because there are so many potential buyers and users. However, what we do know is that many black markets—including two of the best-known, SilkRoad and Agora—exist on the Darknet. At these shadowy online marketplaces, everything from Social Security numbers to illegal drugs to hit-man services is for sale. The use of Bitcoin and other unregulated digital money makes transactions anonymous. And in general, there are two ways that our personally identifying information (PII) is being sold and traded in these marketplaces.

In the first, as in the case of, buyers can trade virtual currency for packages of information about specific individuals. The price varies based on how much information is included (for example, birthdate, Social Security number, or mother's maiden name); which databases the information is pulled from (the more recent the database, the higher the price); and on how many different identities are purchased.

In the second scenario, a hacker creates a piece of malware capable of extracting PII from the computers it infects. The malware is then sold on the black market, spreading via its buyers to millions of computers. In one of the best-known recent cases, a 24-year-old Russian national was charged with developing and selling SpyEye, a "Trojan" program specifically created to steal PII and use it to drain victims' bank accounts.

What Can Be Done?

Manning predicts that as use of the Darknet grows, it will become more and more difficult to track down the cybercriminals who inhabit it. "The more this information is spread and the more people try to use it, the thinner the trail becomes and the harder it becomes to track down one suspect," he says. "If I steal a credit card and a thousand people are using it to commit fraud, then the odds of my fraudulent transaction being caught are very low."

In the case of SpyEye, the creator's reign of terror ended when he inadvertently sold his malware to the wrong person—an undercover FBI agent. According to Maras, law enforcement is increasingly going undercover on the Darknet to catch cybercriminals (understandably, she declined to comment on specific tactics used).

For her, the answer lies in the work she and her colleagues are doing at places like John Jay College to shine some light on this corner of the Internet: "Little is known about Darknet and its potential uses, and the number of Darknet sites and the individuals using them is largely unknown," she says. "Academicians and researchers can help us provide more information on Darknet activities."

IDWise Logo
What is IDWise?

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy. IDWise offers clear and accessible resources to empower citizens—both online and offline—to be better informed and make smarter choices to protect their personal information.

Sign Up for IDWise