• E-mail accounts are among the most commonly stolen data on the dark web, and e-mail services such as Gmail, Yahoo and Hotmail are in the Top 10 globally.

  • Credit cards: Italy ranks 15th on the list of countries most subject to illicit data exchange. In 95.5% of cases, the stolen card data is complete.

  • The amount of stolen personal data on the dark web increased by a total of 17.9% in the first six months of the year.


In the first six months of 2023, fraudulent activity by hackers around the world continued to increase. The number of accounts whose credentials were compromised increased significantly, often in combination with other data that is extremely valuable to hackers. As a result, the number of alerts sent relating to data on the dark web also grew, totaling 911,960. This represents a 17.9% increase compared to the second half of 2022. On the other hand, the number of alerts sent relating to data on the open web was more than 45,600, down 26.9% compared to the same period.

These are some of the main findings of the latest edition of the CRIF Cyber Observatory, which looks at the vulnerability of individuals and companies to cyber-attacks and interprets the main trends concerning data exchanged in open web and dark web environments, the type of information, the areas in which data traffic is concentrated, and the most exposed countries.

“The findings from the Cyber Observatory give cause to reflect on the risks related to the circulation of our data online. In particular, contact information and account credentials are becoming increasingly attractive to fraudsters, facilitating scams and identity theft. Indeed, if criminals manage to get hold of multiple pieces of personal data that help complete a victim's profile, they can design their attacks better, using social engineering techniques.
Another threat that is growing significantly is ransomware, especially in relation to companies. Through double extortion, not only does a company suffer the theft and compromise of its sensitive information, but the risk of company details being spread on the dark web also increases”, explained Beatrice Rubini, CRIF Executive Director.

The most commonly stolen data type on the web

Analysis of the data from the first half of 2023 shows that e-mail addresses are the most common category of data circulating on the dark web and therefore more vulnerable to hackers. These are followed by passwords and usernames in second and third place, then postal addresses and telephone numbers. When it comes to the theft of e-mail accounts, one of the countries most affected globally is in fact Italy, which is ranked 5th, after the USA, Russia, Germany and Bulgaria, and higher than Brazil, the United Kingdom, Poland, Japan and Canada.

In addition, among the data found to be most frequently circulating on the dark web are e-mail service account names - with Gmail, Yahoo and Hotmail in the top 3 places in the ranking - followed by dating sites, telecommunications services, and health and fitness accounts.

A qualitative analysis of the domains shows that the e-mail accounts detected on the dark web refer to personal accounts in 90.7% of cases, while in the remaining 9.3% of cases they are business accounts, with an increase of 3.7% in the latter case compared to the second half of 2022.

Together with e-mail addresses, the Cyber Observatory data shows that telephone numbers have also become increasingly valuable personal information that needs to be better protected, because they allow the victim’s profile to be completed. In fact, the combination of this with a password was detected in 29% of cases. This exposes victims to the possibility of receiving more credible fraudulent messages, such as those relating to the authorization of fake payments or blocked accounts. Often these smishing messages (SMS phishing) contain malicious links that encourage victims to click and provide additional data to the fraudsters, allowing them to geolocate victims’ devices and reconstruct their identities. Another very dangerous type of attack is known as SIM swapping, which involves obtaining the victim’s phone number to allow fraudsters to access certain services without the victim’s consent (bypassing two-factor authentication).

As a result, telephone numbers play a key role and, when combined with passwords, increase the vulnerability of victims. Indeed, this combination of data theft more than tripled compared to the second half of 2022, with an increase of 372%. In addition, among the main combinations of data collected on the dark web, e-mail addresses are very often associated with a password (92.3% of cases), just as passwords very often appear with usernames (62.5%).

Table for main data combinations
Source: CRIF Cyber Observatory

Theft of credit card data

Looking at the continents most subject to the exchange of illicit data concerning credit cards, North America is in 1st place, followed by Europe, which saw a 90.8% increase in fraud compared to the first half of 2022. Italy is ranked 15th worldwide, behind countries such as the USA, France, Mexico, Denmark and Brazil. With regard to this data, it is important to note that very often, in addition to the credit card number, the CVV and expiry date of the card are also present on the dark web (95.5% of cases). In the end, therefore, criminals almost always manage to get hold of all the data on a card.

Use of stolen accounts

Interestingly, the analysis shows that most of the stolen accounts and data are then used by hackers to illegally enter entertainment sites (35.6%) followed by social media (21.9%) and e-commerce accounts (21.2%) using victims’ credentials. The theft of these accounts can have direct financial consequences for victims, and this phenomenon increased significantly compared to the second half of 2022. In fourth and fifth places are the theft of accounts relating to payment service websites and forums (18.8%) and financial accounts (1.3%), such as bank accounts, as well as marketplace accounts, including international, which are increasingly falling within the sights of hackers. In fact, the most affected e-commerce category is clothing sector platforms.

Table most commonly detected accounts
Source: CRIF Cyber Observatory

The situation in Italy

Looking more specifically at Italy, in the first half of 2023, over 40% of users received an alert relating to their data. There has been an overall increase in alerts sent relating to the theft of monitored data on the dark web, with almost 4 out of 5 users receiving alerts of this type. On the other hand, with regard to the open web, where data is practically accessible to anyone, 20.5% of users received an alert. Here, the most frequently identified data included tax code (55.1%) and e-mail address (32.3%), followed by telephone number (7.6%), username (2%) and postal address (3%).

What you can do

We all need to pay close attention to the e-mails and messages we receive every day, training ourselves to recognize scams and phishing attempts. It is important not to click on links in suspicious e-mails or SMS messages and, above all, not to provide personal information in response to messages that appear to have been sent by our bank or another company, always checking the sender’s telephone number or e-mail address. It is therefore becoming increasingly important for public and private companies to develop vulnerability assessment systems and to carry out internal awareness-raising campaigns for their employees. On the other hand, it is advisable for consumers to manage their data very carefully, using tools that allow them to protect their devices and monitor their data,” concluded Beatrice Rubini.