Matilda Bailey is a networking specialist who has spent her career dissecting the infrastructure that powers our digital world, with a particular focus on how next-generation cellular and wireless solutions intersect with global security. As the landscape of cybercrime shifts from isolated incidents to a professionalized global industry, her expertise in how data flows through encrypted relays and hidden nodes has become essential for understanding the modern threat environment. In this conversation, we explore the intricate lifecycle of stolen data, the specialized roles within the criminal underground, and the economic drivers that make certain types of information more valuable than gold. We delve into the mechanics of the dark web’s supply chain, the resilience of marketplaces despite international takedowns, and the proactive measures security leaders must adopt to protect their organizations in an era where data never truly disappears.
The underground economy now mirrors a professional supply chain with specialized roles like initial access brokers and aggregators. How does this division of labor accelerate the pace of attacks, and what specific steps can teams take to identify these different players during an active intrusion?
The shift toward role specialization has transformed cybercrime from a chaotic hobby into a high-velocity assembly line that mirrors a Fortune 500 company. When you look at the numbers, the impact is staggering; the FBI’s Internet Crime Complaint Center reported losses exceeding $20.9 billion in 2025 alone, a sharp 26% increase over the previous year. This acceleration happens because collectors, such as phishing crews and infostealer operators, can focus solely on harvesting raw data—like the 2.1 billion credentials pulled from 23 million infected hosts—while Initial Access Brokers (IABs) specialize in the high-stakes work of verifying network entry points. To catch these players, security teams need to look for specific behavioral fingerprints; for instance, an IAB might perform quiet reconnaissance or “testing” of credentials against live services, which looks very different from the loud, aggressive encryption phase of a ransomware affiliate. By monitoring for the “listing” phase—where domain admin credentials can command thousands of dollars on markets like BreachForums or Russian Market—teams can sometimes identify an impending breach before the primary payload is even delivered.
Stolen healthcare records often sell for over $500, while verified credit cards might only fetch $120. Why is there such a massive price gap between these data types, and how does the permanence of medical information create a recurring revenue stream for criminal buyers over several years?
The price disparity on the dark web is a cold calculation of “shelf life” and convertibility. A credit card is a high-maintenance asset; even a card with a verified $5,000 balance, which fetches around $110 to $120, can be canceled with a single phone call once the fraud is detected. In contrast, healthcare records are the “blue chip” stocks of the criminal world because they contain immutable data—Social Security numbers, birth dates, and chronic medical histories that cannot be rotated or reset like a password. This permanence allows fraud rings to use a single record for years to facilitate synthetic identity fraud, fraudulent loan applications, or even medical insurance scams that drain resources long after the initial breach. When a buyer pays over $500 for a medical file, they aren’t just buying a snapshot; they are purchasing a long-term key to a victim’s life that remains lucrative across multiple cycles of the dark web’s distribution and reuse stages.
Privacy coins and stablecoins like USDT now account for the majority of illicit transaction volume on the dark web. How has this shift away from Bitcoin changed the way financial crimes are tracked, and what evidence should investigators prioritize when trying to follow the money through encrypted relays?
The migration to stablecoins has added a layer of complexity to financial forensics that we didn’t see when Bitcoin was the primary medium of exchange. According to recent intelligence, stablecoins—specifically USDT—now account for a massive 63% of illicit crypto volume, providing criminals with a stable value store that avoids the volatility of traditional coins. While Monero remains a favorite for marketplace trades because of its built-in privacy features, the use of USDT on the dark web allows for faster, more predictable laundering through decentralized finance protocols. Investigators must now prioritize the “off-ramps” and the initial digital signatures left behind when data is packaged into “fullz” or stealer logs. Because the dark web utilizes Tor and multihop relays to hide .onion addresses, the most valuable evidence often lies in the session data and browser fingerprints that link a crypto-wallet transaction to a specific infected machine or actor profile.
International operations have successfully seized thousands of servers and frozen hundreds of crypto accounts, yet many marketplaces reappear shortly after. What are the specific challenges of dismantling groups that operate from non-extradition jurisdictions, and how can global law enforcement make these “reconstitutions” more difficult for criminals?
The challenge is essentially a game of geopolitical “Whac-A-Mole” where the mallets are restricted by national borders. We see figures like Dmitry Khoroshev, the leader of LockBit, continuing to operate from Russia despite a $10 million U.S. State Department reward and the seizure of 34 of his servers during Operation Cronos. These groups thrive in jurisdictions that offer them a safe harbor, allowing platforms like BreachForums to be seized and then reconstituted multiple times within a single year. To make these “reconstitutions” more painful, law enforcement is moving beyond just seizing domains and toward unmasking the infrastructure, as seen in Operation Cookie Monster which resulted in 119 arrests by targeting the underlying Genesis Market platform. By freezing the 200-plus cryptocurrency accounts associated with these groups and publicly “de-anonymizing” their operators, global agencies create a “reputation tax” that makes it harder for the criminal brand to regain the trust of its buyers and affiliates.
Credential theft is now present in nearly a quarter of all major breaches, often appearing in stealer logs before an attack occurs. How can security leaders use this intelligence to proactively adjust their risk thresholds, and which phishing-resistant controls are most effective at devaluing data on the market?
The sheer scale of the problem is daunting, with credential theft appearing in 22% of breaches and affecting billions of compromised accounts circulating in 2025. For a CISO, the key is to realize that the presence of their organization’s domain in a stealer log is a leading indicator of an imminent intrusion. By monitoring for these logs—which often contain browser passwords and session cookies from infected machines—security teams can rotate credentials and invalidate sessions before an IAB sells that access to a ransomware group. To truly devalue this data on the market, we must move toward phishing-resistant Multi-Factor Authentication (MFA) across all cloud and SSO entry points. If a stolen password cannot be used without a hardware-based token or a biometric check, its value on the dark web drops to zero, effectively breaking the criminal’s ROI and forcing them to look for easier targets.
A security breach doesn’t end once the ransomware is removed, as stolen records can circulate in criminal markets for years. How should incident response plans change to address the long-term “afterlife” of data, and what metrics prove a threat is actually contained rather than just dormant?
We have to stop treating incident response as a sprint to “clean the servers” and start seeing it as a long-term management of toxic assets. With 2.86 billion compromised credentials circulating across markets, the “afterlife” of data means that a breach from three years ago can still fuel an account takeover today. Incident response plans need to include ongoing dark web monitoring for at least 24 months post-breach to track the distribution and reuse of exfiltrated files. True containment isn’t just about removing malware; it’s measured by the stability of the organization’s credential health and the absence of “combo lists” or “fullz” appearing on Telegram channels or forums. If we see our data being repackaged into stealer logs months after the incident, it’s a clear signal that the threat is not contained, but merely evolving in the hands of a new buyer.
What is your forecast for the dark web?
I expect the dark web to become even more fragmented and resilient as it migrates away from centralized marketplaces toward encrypted messaging apps and private, invite-only nodes. We are already seeing a surge in Telegram-based aggregators that offer the same escrow and reputation scoring as traditional forums but with much higher mobility and lower overhead. This shift will likely drive up the cost of corporate access listings, which currently sit between $500 and $3,000, as specialized brokers use more sophisticated automation to verify the “freshness” of their data. For organizations, this means the window between a credential being stolen and it being used in a major attack will shrink from days to hours. The only way to survive this high-speed environment is to adopt a philosophy where we assume our credentials are already on the market and build our defenses around the principle of least privilege, ensuring that even if a door is unlocked, the intruder finds nothing of value behind it.
