$16 billion in stolen Apple, Meta, and Google credentials up for sale for $121,000

The Darklab team, Red Hot Cyber‘s community of threat intelligence experts, has identified an ad on the dark web marketplace “Tor Amazon”, the criminal counterpart of the popular e-commerce site on the clear web. The listing offers an unprecedented archive: 16 billion compromised credentials from leading platforms such as Apple, Facebook, Google, Binance, Coinbase, and many others.

The listing, priced at 1 Bitcoin (about $121,000), represents one of the largest and most diverse collections of data ever to appear in the underground circuits.

Origin and nature of the leak

According to Darklab’s analysis, the packet does not originate from a single data breach, but from 30 distinct collections generated through malware campaigns.

The malicious actors would have exploited corrupted files and social engineering techniques to infect victims’ devices, harvesting credentials primarily from users who reused weak passwords or did not activate advanced security measures.

This feature makes the dataset particularly interesting from an investigative perspective, as it allows us to observe not only platform vulnerabilities, but also users’ bad habits and the real impact of the malware on daily security.

Size and geographic distribution

• Volume: the collections range between 16 million and 3.5 billion records each, with an average of approximately 550 million of credentials per batch.
• Geographic concentration: The data is particularly dense in Asia and Latin America, regions often more exposed to mass breaches due to less resilient digital infrastructures and low user awareness.
• Platform diversity: The leak covers heterogeneous environments – social networks, email services, financial platforms, and development portals – offering a cross-section of attack surfaces.

Implications for cybercrime and research

Selling on Tor Amazon reflects the growing threat of criminal marketplaces, which replicate the typical logic of legitimate e-commerce: escrow systems for transactions, buyer feedback, post-sales support.

For cybercriminals, data represents an immediately monetizable resource through:

• large-scale phishing campaigns scale;
• account takeover and financial fraud;
• compromise of crypto wallets and related services.

For researchers and analysts, however, the dataset constitutes a precious source for:

• study the distribution patterns of malware;
• understand the impact of poor digital hygiene;
• outline historical and economic trends of breaches on a global scale.

Final Considerations

The discovery made by Darklab highlights how the dark web criminal ecosystem is evolving towards increasingly structured and competitive models.

At the same time, it reiterates the need to adopt minimum protection measures—password managers, multi-factor authentication, continuous monitoring of data leaks—which remain the most effective defenses against threats of this magnitude.

In this scenario, the monitoring and analysis conducted by communities like Darklab proves crucial for uncovering phenomena that, if ignored, risk compromising entire digital ecosystems.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.