New research reveals the average price for “fullz” and complete identity packages.
WASHINGTON, DC.
On the criminal market, your identity is not one thing. It is a menu.
There is the cheap version, a basic “fullz” bundle of personal data that helps a fraudster pretend to be you on a form. Then there is the expensive version, a working set of logins, recovery paths, and account access that lets someone move money, file a fake tax return, or hijack your digital life without having to guess anything.
That difference is why the same person can be “worth” $20 on one listing and close to $1,000 on another.
In 2026, multiple consumer and threat intelligence price indexes are landing on the same uncomfortable conclusion: basic “fullz” packages are frequently priced like a commodity, often in the $20 to $100 range depending on completeness and freshness, while full account takeover bundles can jump into the hundreds and sometimes approach four figures once access, not just identity, is included. The sticker shock is not the SSN. It is the convenience.
You can see the broader coverage arc and how often this market intersects with real-world fraud spikes after major breaches, in recent reporting.
Here is what is actually being sold, what “$1,000 identity” really means, and what normal people can do to make their identity significantly less profitable without turning life into a full-time job.
Why “fullz” are cheap now
“Fullz” is criminal shorthand for a full data set, typically name, date of birth, address history, and a national identifier like a Social Security number, sometimes with phone numbers and email addresses attached. It is the scaffolding for impersonation. It is not, by itself, a guarantee that a fraud attempt will work.
The economics are brutal in their simplicity. Fullz are cheap because they are abundant.
Years of mega breaches, combined with the rise of malware that vacuums credentials from personal devices, have produced an oversupply of personal data. When supply explodes, prices fall. Many fraudsters also buy in bulk because they are running volume-based scams, such as mass applications for credit, synthetic identity layering, or tax season fraud attempts, where only a small percentage needs to succeed to be profitable.
That is the first paradox consumers should understand. Your identity can be extremely damaging in the wrong hands and still sell cheaply. Cheap does not mean harmless. Cheap means scalable.
The second paradox is that basic fullz are often not enough to break into the modern “front door” systems of banks, email providers, and payment apps. Multi-factor authentication, device fingerprinting, risk scoring, and verification workflows have made pure impersonation less reliable. So, the market has adapted.
Instead of selling identity alone, it sells access.
What the “$1,000 identity” actually includes
When people hear “complete identity package,” they imagine a folder of documents.
What criminals often mean by “complete” in 2026 is closer to an operational kit that reduces friction for the buyer. It can include combinations such as:
A financial account login, or access tokens that bypass repeated logins
The email account that receives password resets and security alerts
Enough personal data to pass knowledge-based questions or basic checks
A phone number pathway that helps with account recovery, sometimes through carrier-level weaknesses
Proof artifacts that help with onboarding screens, such as scans of IDs, selfies, or utility documents, depending on what was stolen in a breach
You do not need any one of these pieces to create harm. But the more pieces a buyer has, the less time they spend failing.
That is where the $1,000 number starts to make sense. Several widely circulated price indexes that consumer publications have referenced, including one summarized by Experian in 2025, show that access credentials are consistently priced higher than raw personal data. They list, for example, certain payment app logins around the high hundreds, and bank account access that can range from modest amounts into the thousands depending on what is included and how easily it can be monetized. In other words, “identity” becomes expensive when it is tied to a working cash-out path, not when it is merely tied to a name.
The market is not paying for your biography. It is paying for your ability to be exploited quickly.
How prices are set, and why averages are misleading
People love averages because they feel concrete. Underground markets hate averages because there is no single product called “identity.”
Prices swing based on a handful of factors that matter more than most victims realize.
Freshness
Old data is still useful, but “fresh” data converts at higher rates. If a login still works today, the buyer is not paying for hope. They are paying for a working tool.
Completeness
A minimal fullz set is one thing. A fullz set with an email, a phone number, and enough address history to sail through “verify your identity” prompts are another.
Geography and institution
Different jurisdictions and institutions have different controls. Some environments are harder to exploit, which can raise the value of access that actually works. The same logic applies to “high friction” institutions like banks compared with lower friction targets like retail accounts.
Recovery advantage
A buyer who can control the recovery channel can turn one breach into multiple takeovers. If they have the email account used for resets, or can intercept verification codes, they can often keep access long enough to do real damage.
Balance and monetization potential
Access tied to money is priced like money. A login that leads to an empty account is worth far less than access linked to a balance, a credit line, or a payment platform.
Risk and reliability
Criminal markets have their own version of customer expectations. Products that “fail” too often lose value. Products that keep working, or come with replacement promises, gain value.
This is why a basic “fullz” average can look low while a “complete identity package” average looks high. You are not looking at the same product.
The real shift in 2026 is the market moving from identity theft to identity takeover
For years, the classic identity theft story was about opening new credit in your name.
That still happens. But the higher velocity, higher profit crime today is often takeover, not creation. It is easier to take an existing account than to open a new one under tightened onboarding controls.
Account takeover also scales. If a fraud ring has access to a hundred sets of credentials, it can test them across multiple services, then target the ones that unlock the most value. That testing is largely automated. The human work begins only after a high-value target is identified.
This is also why the “$1,000 identity” line resonates. It is not describing a pile of personal data. It is describing a turnkey theft workflow, where the buyer is paying to skip the hard part.
A practical example that explains the pricing gap
Imagine two listings.
Listing A is fullz: name, address history, date of birth, SSN, and a phone number. It is priced at $40.
Listing B is a bundle: a working email login, a payment app login, and enough personal info to pass basic checks. It is priced at $900.
In the real world, Listing A might still be used to file a fraudulent application, but it will fail often enough that the fraudster needs scale to make money. Listing B is a targeted weapon. It is designed to convert with fewer attempts. The buyer is paying for certainty.
This is the same reason stolen credit card numbers can be cheap while a compromise that includes device-level session data, recovery access, and payment rails can command a premium. The market is rewarding reduced friction.
The hidden cost is not what criminals pay; it is what victims pay
A dark market price is not a measure of your worth. It is a measure of the criminal’s cost.
Your cost is different, and it usually includes:
Time lost recovering accounts and disputing transactions
Credit damage and loan or rental friction
Tax season chaos if a fraudulent return is filed
Emotional strain, especially when identity theft becomes repetitive
Professional risk if your name is used in scams or your email is hijacked for phishing
That victim cost is why the market matters even if the sticker price looks small. A $40 fullz sale can still trigger a months-long ordeal.
What to do if you think your information is in circulation
If you suspect exposure, the best response is not panic. It is containment.
Start by assuming the fraudster’s advantage comes from speed. Your goal is to remove speed.
Lock down your email first
Email is the master key to account recovery. Change your email password, enable strong multi-factor authentication, and review account recovery settings. If your email is compromised, everything else is downstream.
Strengthen authentication, but do it intelligently
Multi-factor authentication is powerful, but methods matter. App-based authentication is generally stronger than SMS because SMS is vulnerable to SIM swap and interception scams. Hardware keys are stronger still. The point is to raise the cost for the attacker.
Freeze your credit
A freeze reduces the ability to open new credit lines in your name. It does not stop all fraud, but it blocks one of the most damaging pathways.
Watch your “recovery surface”
Fraudsters often win through account recovery. Tighten phone carrier security where possible. Remove outdated recovery emails. Turn off weak recovery methods when alternatives exist.
Document everything
If your identity is abused, keep a file. Dates, institutions, reference numbers. It becomes your leverage when disputes become repetitive.
If you become a victim of identity theft, the most direct official recovery pathway in the United States is to file and follow the guided plan at IdentityTheft.gov. The value here is not just the instructions. It is the paper trail that helps disputes move faster.
Why “identity reset” services are growing, and what they can and cannot do
Whenever the dark market conversation gets loud, a predictable wave follows: people start asking about “resetting” their identity.
That demand is understandable. It is also often based on a myth.
There is no consumer switch that erases your old identity from the data economy. Even legal name changes, which can be appropriate for safety and personal reasons, do not eliminate historical records. They create a name progression chain that must remain credible across banks, passports, credit ecosystems, and government files.
This is where professional advisory services increasingly frame identity transitions as a compliance problem, not a reinvention project. According to Amicus International Consulting, the most damaging mistake people make after a fraud event is chasing the fantasy of a “new identity” while ignoring the operational reality that modern verification systems punish inconsistency. A lawful transition can reduce certain exposures, but only if it is done with documentation integrity and careful sequencing.
Put differently, changing your name can be part of a privacy strategy, but it will not stop a fraudster who already has your credentials today. Your first priority remains account security and recovery control.
The market’s biggest tell is what it values most
If you want to understand where risk is headed, follow the money.
The underground market consistently values the same things:
Access to money movement
Control over account recovery
Ability to bypass identity checks through session data or established accounts
Low-friction conversion, meaning fewer failed attempts
That list is a roadmap for defense.
The more you protect recovery channels, the more you reduce the payoff of stolen data. The more you use strong authentication, the less valuable credential dumps become. The more you monitor financial and tax touchpoints, the more you cut off the “cash out” window.
A 2026 defensive checklist that actually moves the needle
Most people do not need a cybersecurity degree. They need a few high-impact habits.
Use unique passwords everywhere
Password reuse is the accelerant that turns one breach into five account takeovers.
Turn on multi-factor authentication on your email and financial accounts
If you do only one thing, do it here.
Treat your phone number like a high-risk asset
Many takeovers start with phone-based recovery. If a service allows you to remove SMS recovery in favor of stronger methods, consider it.
Audit your recovery settings once a quarter
People set recovery emails and forget them. Attackers do not forget.
Reduce public exposure where feasible
The more personal data is publicly accessible, the easier it is to pass verification prompts. You cannot remove everything, but you can reduce the easy wins.
Act fast when you see anomalies
Fraud is often a race. Minutes matter when an attacker is trying to pivot from one account to another.
The bottom line
The dark market is not mysterious because it is sophisticated. It is mysterious because it is fast.
Basic “fullz” can be cheap, commonly priced in the tens of dollars, because the supply of personal data is enormous. But the “$1,000 identity” is real in a different sense: once stolen data is paired with working access to accounts, recovery channels, and monetization paths, the value climbs sharply.
The best way to think about the market is not as a place where your name is sold. It is a place where convenience is sold. And the most effective defense is to make your identity inconvenient to exploit.