For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.

A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market pricing for this compromised data, begging the question: Have we reached an oversaturation and devaluation of these credentials on the dark web?

New cloud threat report identifies a decrease in cloud credential pricing

In its fifth year of reporting on the cloud threat landscape, IBM’s X-Force team has collected and analyzed data between June 2022 and June 2024 across multiple sources to identify key insights and emerging trends associated with cloud vulnerabilities and dark web statistics.

In collaboration with Cybersixgill, a leading cyber intelligence agency that specializes in analyzing and monitoring deep web and dark web activity, the X-Force team has observed a steady decrease in the sales prices of stolen cloud credentials.

In 2022, the average price of cloud access credentials was positioned at $11.74, lowering to $10.68 in 2023 and dropping again to $10.23 in 2024. This three-year trend translates to a 12.8% overall decrease in price, potentially pointing to a market shift in both supply and demand for these stolen assets.

Likely contributors to lower-cost credential prices

When looking at the year-over-year decrease in cloud access credential value, there are a number of possible contributors driving this shift. To help shed some light on this topic, Colin Connor, a member of IBM’s X-Force team, was asked to comment on the shifting dark web market dynamics.

Adding some perspective and helping to establish an important distinction between “cloud credentials” and “cloud access,” Connor clarifies that these stolen credentials are “low-hanging fruit for cyber criminals… credentials are stolen from stored credentials in an infected system through information stealers, and nothing has been validated yet. Basically, somebody has gone to all the trash bins in the neighborhood, grabbed all the letters that are in the trash bins and then said, okay, here’s house A, B, C, etc., and the information found there is for sale.”

Another thing to consider is that while lower-quality credentials are more openly available on dark web markets, not all cyber criminals use the same methods to fund their enterprises. “One potential reason behind the decrease in average price points is that the higher value credentials are being sold by criminals outside of the dark web markets as corporate access or as data leaks,” states Connor, again impacting general statistics.

Are recent trends pointing to market “oversaturation” or “normalization”?

At first glance, it’s easy to assume that the demand for stolen cloud credentials is lowering and the market has reached a saturation point. However, when combining these trends with other factors, the bigger picture starts to become a bit clearer.

When speaking with Connor, it’s likely that recent decreases in price point averages for cloud credentials between 2022 and 2024 are more likely market “normalization” rather than pointing to a continuous trend in overall devaluation.

“What we’ve seen is that typically, most credentials are purchased at $10. This price represented over 80% of the market pricing between all years… $20 is really the breaking point,” Connor says. “It’s these outliers — typically less than 10% — that have caused anomalies between 2021 and 2024.”

“These changes aren’t really significant… what we’re looking at really is just a normalization of the market pricing.”

While these credential types still serve their purpose to cyber criminals, the real money is made by selling actual cloud access. These are validated access credentials that can sell for thousands of dollars for higher-profile assets.

What does lower pricing of cloud credentials say about criminal priorities?

While the flood of stolen cloud credentials on the dark web might be keeping this form of cyber crime low priority, this doesn’t necessarily point to a slowdown in focus on gaining cloud system access.

As unvalidated user credential pricing remains low, attackers will likely double down on exploiting known cloud vulnerabilities that provide more direct levels of access. According to the recent OWASP Top 10 list, organizations should expect to see a rise in attacks targeting SQL injections, cryptographic failures and broken access control systems. These vulnerabilities offer a more reliable and direct path to valuable data and resources within applications and cloud environments.

Another growing trend that IBM’s X-Force team has recognized is the use of Cross-Site Scripting (XSS) to provide open access and privilege escalation in cloud environments. XSS was reported as the top discovered cloud vulnerabilities and exposures (CVEs) referenced in the report and has become a considerable threat to be aware of.

This attack method allows criminals to steal session tokens and redirect users to malicious sites. They can then compromise access levels and deploy a variety of tools, including crypto miners, infostealers, ransomware and other forms of dangerous malware.

Monitoring and adapting to the new threat landscape

With each year that passes, it’s important for organizations to regularly monitor and adapt their defense strategies in response to dark web intelligence trends. This includes building a stronger identity security posture, creating comprehensive threat modeling strategies and strengthening their incident response capabilities.