Understanding how criminals monetise stolen data — from credential stuffing and account takeover to dark web market sales and identity fraud — helps you prioritise your defences and respond more effectively when breaches occur.
When a Data Breach?">data breach occurs and credentials are obtained, the fastest exploitation method is credential stuffing — the automated use of breached email/password combinations against high-value targets. Criminal groups maintain sophisticated automated tools that can test millions of credential pairs against banking sites, e-commerce platforms, email providers, and cryptocurrency exchanges within hours of a breach. The attack is effective because most people reuse passwords: a credential pair stolen from a low-security online store is immediately tested against HSBC, Hang Seng, PayMe, and every other high-value service that uses email as a username. Success rates for credential stuffing attacks range from 0.1% to 2% of tested credentials — seemingly low, but applied to a database of 10 million stolen credentials, even a 0.1% success rate yields 10,000 compromised accounts.
Account takeover of banking and financial accounts is the most immediately valuable outcome for criminals. Once inside a banking account, criminals work quickly: initiating FPS transfers to mule accounts, draining credit card balances through purchases at compliant merchants, changing contact details (email, to Spot and Avoid Attacks on Your Phone">Your Phone Number">phone number) to prevent security notifications from reaching the victim, and adding new beneficiaries for future transfers. The entire process from initial account access to fund extraction can take less than 30 minutes — the HKMA has noted that rapid transfer schemes give victims and banks very little time to intervene. Hong Kong's FPS (Faster Payment System) is a particular vector because transfers are near-instantaneous and, in fraud cases, are extremely difficult to reverse once processed.
Email account takeover is equally valuable — often more so — because email is the master key to all other accounts. Controlling a victim's email account allows criminals to initiate password resets for every service registered to that email address, access private correspondence that may contain account numbers, personal information, or business data, forward all incoming mail to monitor for security alerts, and impersonate the victim in communications with financial institutions. In Hong Kong, criminals who gain access to an email account can use it to contact the victim's bank directly — pretending to be the account holder requesting account changes, additional cards, or credit limit increases. This explains why protecting your email account with a unique, strong password and hardware 2FA should be the absolute top priority of any security strategy.
Not all stolen data is directly exploited by the group that stole it. A significant portion of breach data — particularly large-scale commodity breaches involving millions of records — is listed for sale on dark web marketplaces where other criminals purchase it for their own exploitation. This market segment is sophisticated: established dark web markets have reputation systems, buyer reviews, vendor ratings, and dispute resolution mechanisms, operating much like legitimate e-commerce platforms but for stolen data. Prices are determined by data quality, recency, and exploitability. A Hong Kong credit card with verified balance and recent activity may sell for US$30-80; a full identity package ("fullz") containing HKID number, date of birth, banking credentials, and phone number may sell for US$100-500 depending on the account balances available.
The commoditisation of stolen data has created a professional services industry around exploitation. Criminals who are technically sophisticated at hacking may not be skilled at cashing out bank accounts — so they sell the credentials to specialists. "Cashing services" buy account access and extract funds using local money mules; "document services" buy identity data and produce fraudulent documents; "spamming services" buy email lists and phone numbers to run phishing campaigns. This specialisation means that a single breach can fuel multiple separate fraud operations — your stolen data may be purchased and exploited by several different criminal groups through the dark web market ecosystem. This also explains why the consequences of a breach can persist for years: data sold on dark web markets may be re-sold multiple times and remain available indefinitely.
The specific data types traded on dark web markets — and their relative values — reveal which data you should prioritise protecting. Email account credentials (with IMAP access) are among the most valuable because they enable password resets; a verified Gmail with high balance PayPal linked may sell for US$100+. Banking credentials with recent login history and verified balances are traded as "fullz" with active account access. Phone numbers and carrier account credentials are traded specifically for SIM swap operations. Corporate credentials — VPN access, Microsoft 365 logins, business email accounts — are traded for corporate espionage and ransomware deployment purposes. HKID numbers bundled with financial data specifically target the HK identity verification systems used by banks, property agents, and government services. Understanding this market structure helps prioritise what to monitor and protect most urgently.
Beyond immediate account takeover, stolen personal data enables persistent, long-term fraud that can affect victims for years. Identity fraud using Hong Kong HKID numbers follows a predictable playbook: the criminal first establishes that the victim's HKID number, date of birth, and personal details are valid and not yet flagged as compromised. They then begin a phased exploitation — starting with lower-risk applications (new mobile phone contracts, utility accounts, small credit facilities) to establish a fraudulent credit trail before escalating to larger financial fraud (personal loans, credit cards with high limits, investment account openings). This phased approach is designed to stay below automated fraud detection thresholds while building the credentials needed for higher-value fraud.
Synthetic identity fraud is a more sophisticated variant that combines real identity elements (genuine HKID numbers, real date of birth from breach data) with fabricated elements (alternative phone numbers, fictional addresses, manufactured employment history) to create new "synthetic" identities that don't exactly match any real person's file. This makes synthetic identities particularly difficult for banks and credit bureaus to detect — the HKID number is real, so the identity passes basic verification, but the contact details lead to the criminal rather than the actual HKID holder. Synthetic identity fraud is used primarily for credit applications and financial services, where verification is identity-based rather than presence-based. The victim typically doesn't know their HKID is being used as part of a synthetic identity until unfamiliar accounts appear on their credit file.
Phishing leverage is another under-appreciated use of stolen data. Criminals who purchase breach data — particularly data that includes name, email address, phone number, and some account detail — use this information to craft highly targeted phishing attacks (spear phishing). A message that addresses you by name, references your account number, mentions a recent transaction (from purchased financial data), and asks you to verify via a fraudulent link is far more convincing than a generic phishing message. Hong Kong residents have reported receiving extremely convincing smishing messages that reference specific HSBC or Hang Seng account details — these attacks are enabled by breach data that provides the criminal with enough personal detail to craft a credible message. This is why data minimisation (sharing as little personal information as necessary with services) reduces your phishing vulnerability over time.
For stolen corporate credentials — particularly those of employees at large organisations — the exploitation pathways are even more valuable than personal data exploitation. Business Email Compromise (BEC) is one of the costliest cybercrime categories in Hong Kong, accounting for hundreds of millions of dollars in annual losses. BEC attacks use compromised or spoofed corporate email accounts to impersonate executives, finance staff, or trusted suppliers, instructing payment transfers to criminal-controlled accounts. The success of BEC attacks is enhanced significantly when the criminal has real breach data about the target organisation — knowing the names, email addresses, and relationships between people within a company enables highly convincing impersonation. Corporate credentials purchased from dark web markets that include Microsoft 365 email access provide direct, real-time visibility into company communications for months before the compromise is detected.
Ransomware deployment has become the dominant threat for Hong Kong businesses over the past five years, and initial access via compromised credentials is the most common entry vector. Criminal groups (often called Initial Access Brokers or IABs) specialise in purchasing or acquiring corporate network credentials — VPN logins, RDP (Remote Desktop) credentials, Microsoft 365 accounts — and selling "initial access" to ransomware groups. The ransomware group then pays for access, deploys their malware, encrypts the organisation's systems, and demands a ransom. For small and medium businesses in Hong Kong, a single employee's VPN credential appearing on a dark web market can be the starting point for a ransomware attack that causes millions of dollars in business disruption, recovery costs, and potential data loss. Dark web monitoring for corporate domains — scanning for any employee email appearing in breach data — is the primary early warning system for this attack vector.
Corporate espionage using stolen credentials is a growing threat for Hong Kong businesses, particularly in financial services, professional services, and technology. Competitors, state-sponsored actors, and organised criminal groups purchase or obtain corporate credentials to gain persistent access to business systems — reading sensitive communications, monitoring negotiations, stealing intellectual property, or identifying vulnerable points for future attacks. The HKPF CSTCB has investigated multiple cases involving prolonged, undetected access to Hong Kong corporate networks initiated through credentials purchased on dark web markets. The extended dwell time (average 204 days before detection for enterprise breaches globally) means that an employee credential compromised in a data breach can provide months of undetected access to corporate systems before any monitoring system flags it.
