-
Cybercriminals are selling stolen login details belonging to South Africans for as little as R100 on dark web marketplaces.
-
Major institutions including Standard Bank, Liberty Group, Statistics South Africa, and Polmed have all reported data breaches in recent months.
-
Security experts warn that AI and automation are making attacks faster, cheaper, and harder to detect than ever before.
Cybercriminals are cashing in on South Africa’s growing data breach crisis. Stolen credentials belonging to South Africans are now selling for as little as R100 on dark web marketplaces, and security experts say the problem is getting worse.
A wave of high-profile breaches has hit the country’s biggest institutions, and the stolen data is already making its way into criminal hands. The dark web is a hidden section of the internet that standard search engines like Google and Bing cannot index. Users need special software (most commonly the Tor Browser) to access it.
While journalists and activists use it for privacy, criminals have turned it into a thriving marketplace for stolen data, hacking tools, and illegal services.
Standard Bank, Polmed, and StatsSA Among Recent Breach Victims
Several major South African institutions have confirmed breaches in recent months. Standard Bank acknowledged that unauthorized parties accessed certain client information (including personal identifiers), though the bank stressed that its core banking systems remained intact. Its subsidiary, Liberty Group, suffered a related incident that also exposed customer data, prompting forensic investigations.
Statistics South Africa reported a cybersecurity breach affecting internal HR systems, raising serious concerns about government data exposure. Polmed (the medical aid scheme serving South African Police Service members) also disclosed a potential breach involving sensitive member information. Together, these incidents paint a clear picture of an escalating and sustained attack pattern targeting critical institutions across the country.
The stolen data from such breaches often fuels other dark web activities, including drug sales, as demonstrated by the NSW Police arrest of a dark web drug dealer who used cryptocurrency to facilitate transactions, showing how cybercriminal ecosystems are interconnected, with data breaches providing the identity information that drug dealers might use to create fraudulent accounts.
Criminals Now Run Dark Web Operations Like Online Businesses
Security experts say the sophistication of these operations has grown dramatically. Shayimamba Conco, security evangelist for Africa at Check Point Software Technologies, says criminals on the dark web now run their operations like legitimate online businesses, selling tools and services that allow almost anyone to launch attacks.
South Africa is seeing a major rise in stolen login credentials, thanks to data collection malware. Conco notes that attackers now use AI and automation to expand their operations, so companies face attacks that are both more frequent and more effective.
Dr Manny Corregidor, CEO of information security firm Telspace Africa, identifies several routes through which credentials end up on dark web marketplaces. The first is infostealer malware, where a victim unknowingly installs credential-stealing software on their device.
“After infecting the device, the malware quietly pulls out all saved login details from browsers and the device itself,” he says.
Corregidor adds that cybercriminals are increasingly using phishing and AI-powered social engineering to harvest credentials, sending custom emails that trick victims into handing over login details. Large-scale breaches also fuel the trade, with stolen passwords, usernames, ID numbers, as well as financial details boxed and marketed on dark forums.
Conco notes that the most common items for sale include email addresses and passwords (often in large batches). But criminals are increasingly trading browser session data, which lets them access accounts without needing a password at all.
“Stolen login credentials are cheap. Basic username and password combos can sell for only a few rand, and even access to higher-value systems like company networks sometimes goes for less than R100. Due to the fact that so much stolen data floods the market, prices stay low, making it easy for cybercriminals to buy what they need and launch attacks,” he says.
Experts Urge Organisations to Monitor the Dark Web Now
Corregidor says the dark web’s encryption and anonymity make it very hard for security teams to spot leaked credentials unless they use specialized tools.
He adds that while companies can use dark web monitoring services to check forums, breach databases, and hacker marketplaces for stolen credentials, those methods aren’t completely reliable.
Even free tools such as “Have I Been Pwned” can identify common breaches, but no solution guarantees full visibility,” he cautions.
Conco agrees, noting that many organisations only discover a breach after spotting suspicious activity (such as unusual login attempts or misused accounts). “That’s why ongoing monitoring matters, it helps you spot exposed credentials early, before they turn into a larger security incident, ” he says.
If a breach occurs, Conco urges organisations to act fast: change affected passwords, enable multi-factor authentication, log users out of active sessions, investigate how the exposure happened, and educate staff to prevent it from happening again.
