Hackers selling bundled enterprise data on the dark web to maximise profits

Threat actors are bundling data obtained through multiple industrial breaches in Australia and selling the bundles on the dark web to maximise their profits, Cyble said.

 

The cyber threat intelligence company said in a blog post Thursday that it is observing a new trend taking shape in cybercriminal marketplaces of threat actors packaging, repackaging and marketing stolen data on underground marketplaces.

 

In 2025, threat actors increasingly marketed "breach packages" in underground markets by combining data stolen from multiple organisations, thereby increasing the commercial value of stolen data and attracting a larger pool of purchasers such as ransomware affiliates, access brokers and fraud groups. The activity also helped criminals save time on marketing each exploit separately.

 

"This move has a direct impact on how exposed enterprises will be in 2026 and is not merely cosmetic; rather, it represents a structural shift in how cybercriminal ecosystems monetise stolen information," Cyble said.

 

The threat intelligence company said Australian businesses suffered disproportionately higher percentage of breaches in 2025 compared to the rest of the world, with the number of reported breached rising 48% year-on-year compared to 18% globally. Australian companies reported 71 breaches between January and early October 2025 compared to 48 breaches reported at the same time in 2024.

 

The bundling of breached data and their sale in underground markets exposes Australian organisations to far greater harm by giving well-resourced hackers a larger pool of stolen data to mount social engineering attacks or to breach protected networks using stolen credentials.

 

"Stolen datasets become modular assets that can be repackaged across multiple campaigns, contributing to the growing volume of dark web data breaches impacting Australian organisations," Cyble said. The company warned that attackers can now use a single vendor’s data to target multiple downstream organisations, thereby increasing the attack surface far beyond the enterprise’s direct control.

 

According to the company’s research, corporate datasets that include bulk customer data, financial details and PII are sold in underground markets for up to $100 per log. Identity kits such as driver’s licences are sold for about AUD $1,500 and passports for more than AUD $1,200.

 

Ransomware affiliates often purchase remote access via RDP or VPN to target organisations, and malicious actors use stolen identity documents to carry out KYC fraud, SIM swaps and account takeovers. "Corporate emails and legal files become tools for precision business email compromise (BEC), and even old breach data resurfaces months later in phishing campaigns or bundled stealer packs," Cyble said.

 

"Australian organisations face unique risks because of the global value of their IDs, passports, and licenses is highly trusted and difficult to replace, combined with an increasingly aggressive regulatory environment, as seen in OAIC’s enforcement actions against Optus and Medibank," it added.

 

In 2025, Australian businesses compromised by cyber criminals operated in critical sectors such as energy and utilities, banking and financial services, telecommunications, healthcare, information technology, manufacturing, transportation and hospitality sectors.

 

Hacking each of these organisations gave hackers access to valuable enterprise, commercial and customer data that could be reused to target more organisations, perpetrate fraud, demand ransom or sold in underground markets for profit. The scale of breaches included the theft of 2TB of data from a major airline, the theft of 27,000 data records containing KYC data and user identities from a trading platform, the theft of credentials for pension funds, and the theft of millions of operational files from petroleum distribution and internal logistics networks.

 

"The breadth of targeting highlights a key reality: attackers are no longer selecting industries solely based on prestige or financial value. Instead, any organisation with usable data, operational leverage, or weak third-party dependencies becomes a viable target," Cyble added.