
By Andréanne Bergeron, Security Researcher & Catherine Larose, Criminology Intern (University of Montreal)
A social security number sells for $4.31 on the dark web, and it also carries a maximum sentence of 30 years in federal prison. PHI commands $300 per record (the highest price on any dark web market), but does not even appear among the top three data types by sentencing severity.
Underground market prices and criminal sentencing are measuring two completely different things: one reflects what attackers find useful, the other reflects what society has decided causes serious harm. We analyzed 209 real criminal cases to understand what the legal system reveals about data harm that market pricing never captures.
Key Takeaways About Stolen Data Sentencing
- Credit cards, social media profiles, and social security numbers are associated with the longest prison sentences when they serve as the primary instrument of a crime, despite ranking far lower in underground market pricing. This shows that market value and legal severity measure different things: underground market prices reflect attacker demand and usability, while criminal sentencing reflects societal judgments about harm.
- Cheap data is not necessarily low-impact. Some data types (e.g., email addresses or SSNs) are inexpensive on dark web markets due to abundance, not because they are harmless or low-risk. At $4.31 per record, SSNs are among the cheapest data types on dark web markets, yet they enable fraudulent tax filings, credit lines opened in victims’ names, and identity fraud that takes years to resolve. Congress has attached penalties of up to 30 years to the most serious related offenses.
- SSNs and social media profiles are central to high-harm crimes. SSNs enable long-term identity fraud, while social media profiles facilitate impersonation, stalking, and targeted fraud (their modest market price of $27.34 understates their role in these harmful activities), both linked to severe legal penalties.
- Defense strategies should consider both lenses. Market pricing helps explain attacker behavior, and sentencing data highlights real-world human harm. Together, they provide a more complete framework for prioritizing data protection.
Why Market Value and Legal Severity Diverge
Dark web market price and the criminal sentencing related to PII are not the same thing, and the gap between them matters. Dark web prices are shaped by supply and demand, exploitability, and the operational needs of threat actors at any given moment. They are efficient signals of attacker preference, but they say little about the human consequences of a breach. A data type can be cheap on the market precisely because it is abundant, not because stealing it is harmless.
Criminal law operates on a different logic. Statutes and sentencing guidelines are the product of legislative deliberation, case law, and (imperfectly, but meaningfully) societal consensus about which harms are serious enough to warrant the state’s harshest response. When a judge sentences someone to a decade in prison for identity fraud, that outcome encodes a judgment about harm that no market price captures.
PHI commands the highest price on dark web markets at $300 per record. But when we looked at the same question through a legal lens (i.e. which PII types are associated with the longest prison sentences) a different picture emerged, one that reflects not what attackers find valuable, but what victims actually suffer.
The Data Behind the Analysis
We analyzed 209 real criminal cases drawn from the US Attorney’s Office databases, court records, and documented case reporting. Across those cases, we identified 43 distinct criminal statutes invoked when PII was used to commit a crime, from stalking and doxxing to large-scale financial fraud and medical identity theft. The most prosecuted statute in our dataset was Article 1028 of the U.S. Criminal Code: Fraud and related activity in connection with identification documents.

Distribution of criminal statutes across 209 cases
For each case, we recorded which PII types were used, the applicable statute, and the resulting sentence in months. Cases involving only a single PII type were weighted more heavily, providing the cleanest signal of that data type’s direct legal exposure. Sentences were standardized to months, with cases resulting in financial restitution only recorded as zero months of imprisonment.
What the Legal Model Reveals
When sentence length is modeled against PII type, three consistently rise to the top: credit cards, social media profiles, and social security numbers. These are the data types most directly associated with the longest prison terms when they serve as the primary instrument of a crime.

Average sentence lengths in months by PII type
SSN
A stolen SSN used to file fraudulent tax returns or open lines of credit can take victims years to untangle.
Congress has attached penalties of up to 30 years to the most serious related offenses (and the average sentence is 31.32 months, or slightly less than three years). That severity simply is not captured in a $4.31 market price.
Social Media Profiles
Social media profiles appearing near the top is perhaps the most counterintuitive finding at 46.53 months (or about four years). Their relatively modest market price at $27.34 understates their role as a primary enabler of impersonation, stalking, and targeted fraud, all of which carry significant custodial sentences.
Credit Cards
Despite their relatively low unit price, credit card fraud cases have on average the highest sentences, and consistently produce long sentences averaging 54.63 months (or about four and a half years) because the crimes they enable tend to involve large aggregate losses, organized schemes, and high victim counts, all factors that drive sentencing upward.
What This Means for Defenders
Criminal sentencing data is an attacker-independent signal, and it reflects documented harm to real victims, not fluctuating demand on illicit markets. That makes it a useful anchor for data protection decisions that need to hold up over time.
SSNs are a master key for sustained identity fraud. Their consistent appearance in high-sentence cases reflects the kind of harm they enable: fraudulent tax filings, credit lines opened in a victim’s name, years of recovery. Organizations holding SSNs should classify and protect them accordingly, with strict access controls and active monitoring for exposure.
Social media credentials warrant a security-level response, not just a communications one. The legal record is clear that compromised social accounts are a primary vector for impersonation, stalking, and targeted social engineering, offenses that carry serious custodial sentences. Treat these credentials with the same rigor as financial data.
Legal severity is a useful lens for breach impact assessment. When a breach occurs, the question isn’t only what the data is worth on the market, it’s what harm it enables to the people whose data was exposed. A database of SSNs and social media profiles may represent a lower financial loss than other breach types, but a significantly higher human cost and a greater likelihood of serious downstream criminal activity.
Protect High-Harm Data
Flare’s identity-first threat intelligence platform combines threat intelligence, identity intelligence, and AI-driven workflows for detection through remediation of exposed credentials and identities.





