The dark web's shadowy marketplaces offer a wide array of goods and services. Hackers sell access to corporate websites, distribute stolen databases for free, develop malware for specific purposes, and exploit data they obtain for fraudulent activities, among other things. The wide variety of services available on the dark web enables both highly skilled cybercriminals and low-skilled hackers to carry out successful cyberattacks. This provides an easy entry point into the world of cybercrime. As part of our research into information security threats, we continuously monitor cybercriminal activity on dark web forums. This enables us to predict the goals of malicious actors and assess their interest in specific countries, industries, and systems.

This report explores hacker motivations and the cybercrime-for-hire market in India during 2023–2024, highlighting the most popular topics for discussion, target industries, and pricing trends.

For this research, we analyzed 380 Telegram channels and dark web forums. These platforms had a combined user base of 65 million and over 250 million posts, with a focus on India-related content. Our dataset comprised the biggest dark web platforms supporting multiple languages and catering to a wide array of interests. The study covered the period between September 1, 2023 and October 1, 2024.

We analyzed the following post categories:

• Databases: data breaches involving personal data, user logins, and sensitive company documents
• Corporate access: data used for unauthorized access to a device or service within a company's infrastructure
• Spam: tools and data to send out mass quantities of text messages, emails, and make automated phone calls
• Carding: bank card details
• Documents: document forging services 
• Traffic Redirection: redirection to phishing sites and malicious file downloads
• DDoS Attacks: hacker groups' claims of successful DDoS attacks
• Hacks: hacker groups' claims of successful attacks
• Ransomware: hacker groups' claims of successful ransomware attacks
• Defacements: hacker groups' claims of altering a website home page

India is a country with a high rate of digital development, aimed at transforming its economy and modernizing its infrastructure. India claimed the third spot for the largest digital economy worldwide in 2024. Digital tools have revolutionized many aspects of life, propelling business and entrepreneurship to new heights. Furthermore, India is aggressively expanding its space capabilities and pouring investments into its space industry. India joined the Moon club in 2023, becoming the fourth country to land a spacecraft on Earth's satellite. That being said, the Indian Space Research Organization is fending off over 100 cyberattacks every day. These factors combined make the region a tempting target for criminals. 

An analysis of listings has revealed that the most popular topics on dark web marketplaces for India are databases (42% of posts) and access credentials (23% of posts).

Listings in the Bank Card Fraud category (10%) may contain sensitive bank card information: card number, expiration date, CVV code, cardholder's name, as well as their home address, phone number, and email address. Cybercriminals use this data in fraudulent schemes to withdraw funds. The average cost of a dataset (100 units) containing information on Indian users is $500.

Traffic redirection services were discussed in 9% of posts. These promised to drive Indian users to a particular website, such as one designed to steal their information or infect their devices. Traffic can be targeted to users with specific hobbies and interests.

Seven percent of the posts discussed the sale of databases for spam. The databases contained phone numbers and email addresses. In addition, we found posts offering drop services¹ (5%) and document forging (4%).

---

¹"Drops" are individuals who provide service to criminals by receiving money in their bank accounts with the intention of later withdrawing the cash.

 

As mentioned previously, India ranks third among countries by number of dark web listings relating to data breaches. A free distribution model is used for over two-thirds (66%) of database-related posts. This high proportion of databases distributed for free is linked to the activities of hacktivists² focused on this region, and ransomware gangs that distribute confidential data for free if the victim refuses to pay a ransom. Hacktivists aim to draw public attention to political issues and problems through a variety of cyberattacks, such as DDoS, website vandalism, and attacks on corporate infrastructure. They might release data they steal at no cost as a way to demonstrate the effectiveness of their hacks and bolster their reputation. 

---

²Hacktivists are malicious actors whose primary goal is to draw public attention to specific issues through various types of cyberattacks that their skill level allows.

 

Of all freely distributed databases, 25% were associated with research and educational institutions, while 20% were linked to financial organizations. Educational institutions can attract cybercriminals due to a number of factors. These organizations process and store confidential information about a large number of students and employees. Additionally, educational institutions frequently overlook the importance of cybersecurity, leaving them highly vulnerable to malicious actors. 

Successful cyberattacks on financial institutions can cause disruption, halt operations, and result in substantial losses.

Customers' and employees' personal data accounts for the largest portion (61%) of data breaches involving companies. These databases contain personal data, such as the full name, date of birth, email address, phone number, home address, and details from government-issued identification documents. A cyberattack on an Indian electronics manufacturer in April 2024 resulted in a leak of 7.5 million customers' personal data. Nineteen percent of the records in the database included login and password information for accounts on different online platforms. Fifteen percent of the listings focused on data breaches involving companies' internal files, such as confidential documents and source code.

Twenty-nine percent of the listings offer databases for sale. These types of posts offer databases stolen from financial institutions (24%), service companies (17%), and the retail industry (10%).

Forty percent of posts list databases for $1000 or less. Offers to sell mid-range databases make up a significant portion of all listings, accounting for approximately 50%.

Posts seeking to buy data (5%) are focused on specific industries. This kind of demand indicates cybercriminals' interest in companies from a specific industry. The majority of database wanted listings in the region target the financial industry (62%). 

Access to corporate websites is the second most popular (23%) topic for dark web listings in India. Listings offering access credentials account for 79% of the total. A large percentage of the offers (23%) target the retail industry, as well as finance (15%) and services (12%).

The percentage of posts seeking to buy access is quite small at 1%. This suggests that the abundance of options in the Indian corporate website access market provides cybercriminals with ample choice. Wanted listings seek access to financial institutions and lenders. 

Twenty percent of posts offering access to companies' infrastructure offer it for free. These listings are linked to the activities of hacktivists in the context of global political tensions. Most of these posts (41%) offer access to scientific, educational, government (35%), and medical (12%) infrastructure. 

Over 60% of the access credentials being sold go for less than $1000, making them affordable even for hackers with limited funds. Packages starting at $50 provide access to online shopping platforms. There are also expensive offers for access to Indian financial institutions. For example, the cost of administrative access to a bank's infrastructure, including the ability to connect to internal portals and servers for ATM and mobile app management, starts at $70,000. 

Half of all listings offered access to companies' websites via either RDP (29%) or VPN (23%). Sellers may obtain this type of access by infecting devices with stealers. Access to content management systems like Magento and WordPress also make up a significant portion (22%) of the total. 

The Other category (11%) encompasses a variety of options for connecting to company infrastructure: repository management (Bitbucket), virtualization (VMware ESXi), project management tools (Jira), data backup (Veeam Backup & Replication), and database management (phpMyAdmin, MySQL).

Eight percent of the posts mentioned connecting via downloaded malware (shells), and 7% discussed connections using remote access tools (AnyDesk, Citrix, ScreenConnect).

Each type of access comes with a certain level of system privileges. The most common offers are for local administrative privileges (57%), which will provide full access to only one computer or server. Accounts with domain administrator privileges make up 16% and would grant access to all servers and computers within a domain. Access with domain user privileges (18%) and local user privileges (9%) may appeal to an advanced attacker, as it implies the possibility of independently escalating privileges within the system. By gaining higher-level access, the attacker can perform administrative actions on the compromised system and then expand the attack to target the organization's critical systems.

The most common claims of successful attacks are claims of defacing companies' home pages (45%). Claims of successful DDoS attacks and hacks account for 18% and 14%, respectively. These are perpetrated by hacktivist groups targeting the region over geopolitical conflicts. 

Government and service company websites were hit the hardest by defacing attacks, indicating a potential security weakness in these industries. By vandalizing the homepages of these institutions, hacktivists could potentially grab the public's attention and spread propaganda to sway public opinion.

Forty percent of the claimed hacks involved educational institutions, while 33% targeted government agencies. Hackers who break into government systems can steal important data, secret plans, and official email.

A whopping 85% of DDoS attacks targeted the financial industry, while the remaining 15% were directed at government agencies. The persistence of DDoS attacks is evident, with a 50% increase in their frequency observed between January and October 2024.

Hacker groups' claims of successful ransomware attacks account for 23% of all alleged successful incidents. Industrial companies (25%), financial institutions (19%), and service companies (16%) accounted for the largest number of such claims.

India is a region undergoing rapid cyberdevelopment and deep digital transformation, and is actively investing in promising future industries. These factors, taken together, make the region a target for cybercriminals.

Dark web forums offer a variety of tools and services that target the region. The widespread availability of stolen databases can exacerbate the threat to individuals, making them more vulnerable to a variety of scams and phishing attacks. Combining data from data breaches allows hackers to enrich potential victims' data and attack employees of different companies using social engineering.

The abundance of cheap access offers makes it easier for hackers to break into company networks. In addition, there is a growing trend of giving away access for free. This is often linked to the activities of hacktivist groups who seek to draw attention to specific political, social, or religious issues.

These factors may contribute to a surge in cyberattacks targeting businesses within the region. Safeguarding against customer and employee personal data breaches, disruption or suspension of business processes, and financial and reputational losses requires a comprehensive defense centered around result-driven cybersecurity. This approach prevents non-tolerable events³ and unacceptable financial harm to the business.

When building a comprehensive defense against cyberattacks, combining SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) allows for the collection and analysis of security events from various sources, and centralized response. The MaxPatrol O2 metaproduct can enhance the efficiency of security event monitoring and response. It enables the detection of intruders within a company's infrastructure, identifies compromised resources, and predicts attack progression with non-tolerable events in mind. The NGFW (Next-Generation Firewall) provides the first line of defense for your network, protecting critical applications and core business operations. The WAF (Web Application Firewall) detects and blocks targeted and mass attacks, including those on the OWASP Top 10 list and zero-day attacks. It also provides protection against application-level DDoS attacks. With the MaxPatrol VM vulnerability management system, you can establish a vulnerability management process on the perimeter, including prompt remediation. NTA (Network Traffic Analysis) tools detect cyberattacks through behavioral analysis of network traffic and assist in the proactive search for threats. Sandboxes boost protection performance by detecting various types of malware: new viruses, zero-day exploits, ransomware, and others.