New Commodities, New Consequences: Child Data on the Dark Web

Next: The Year Ahead: Developments in the Dark Web...
Previous: Collection #1: Why You Should Care but Not...
Writer Emily W.
January 08, 2019

Emily serves as the VP of Research at Terbium Labs. With a background in International Relations, Emily alternates between quiet rants about Russian politics and foreign policy, while crafting blog posts about the realities of the Dark Web (hint: red rooms aren't real).

We need to talk about the children.

When we think of data breaches, we immediately, instinctively think of adult data. Adults are active consumers, embedded across different tiers and layers of the digital world. Children are typically insulated from these interactions—they’re under the protection of their parents, free from the complications (and compromises) of the system.

Or so they should be.

In recent years, child data has begun to circulate more regularly in the dark web fraud communities. This data marks the beginning of a new commodity in the criminal economy, with far-reaching consequences.

In late December, Terbium Labs discovered a series of listings advertising child data for sale on a handful of major dark web markets. These listings, all from the same vendor, promote “Kid Fullz” as part of the vendor’s “NEW STOCK DECEMBER 2018.” The vendor offers a comprehensive package of data for each of the children exposed: name, address, social security number, and date of birth—everything a cyber criminal needs to create a synthetic identity, open up a payment account, or abuse the child tax credit (particularly convenient as we head into tax season).

Data belonging to young children comes from a limited number of possible sources: the government, medical providers, and, eventually, schools. In one “Kid Fullz” listing, the vendor notes that the data comes from “pediatrician and other medical databases.” In other listings for personal data, the same vendor claims to have “breached a very large hospital recently”—no doubt a similar exploit that compromised the pediatricians. In a disturbing nod to fraud buyers, the vendor goes on to say that these children belong to “good” families, ones that can afford healthcare services for their children.

Kids Fullz (Dream) Screenshot.png

This is not the first time Terbium Labs has detected sensitive information for children on dark web markets. Terbium Labs discovered a listing for “infant fullz” at end of 2017, offering data on newborn babies. In 2016, a listing appeared on Alphabay that grouped children’s Social Security numbers with parent details in a convenient tax fraud package. Listings for child data appear few and far between—perhaps one or two a year—but they continue to appear steadily year over year. Child data is (for now) primarily a byproduct of other exploits, as in the case of the hospital databases described above. Where child data appears in the mix of standard breaches, vendors see an opportunity to test the market for these rare, truly fresh data sets—sometimes at a significantly higher price than traditional adult data.

Alphabay Child SSN Listing Screenshot-355e9e.png

Cyber criminals have a distinct advantage here: no one expects identity thieves to go after children, so few watch for it. The data might circulate unnoticed for a decade or two until someone goes to open their first credit card or take out a student loan—long after the damage has been done. Child data is now a commodity in its own right, becoming a more regular feature of the fraud ecosystem. When we think about data exposure, we can’t just think about adults. When we monitor data after a breach, we need to think about the full population of users, because the fraudsters will use every record at their disposal. In a world of constant compromise, the demand for fresh data—particularly for the creation of synthetic identities and pursuit of other fraud schemes—will continue to drive vendors to new, untapped sources. Short of manufacturing a new persona from fake data, the surest way to secure a fresh identity is to seek out one that didn’t exist a few years or even a few months ago.

analysis January 18, 2018
Excuse Me, Are You Using That Child Tax Credit?

Even with the turmoil taking over the dark web’s major marketplaces earlier this year, fraud vendors have set up new shops just in time for tax season. While many people won’t think about filing...

analysis June 28, 2018
Shady Business: Commoditization of Data in the Dark Web Economy

Terbium's new report, Shady Business: Commoditization of Data in the Dark Web Economy, examines the underground data trade, investigates the shady business side of dark web operations, and challenges existing ideas about data valuation....