Inside the marketplace for stolen travel documents: A NordVPN and Saily project

How do travel documents end up on the dark web?

Cybercriminals use several techniques to steal your travel documents, often without you realizing it. Some of the most common ways travel documents end up on the dark web include:

• Info-stealers. Hackers use malware to target your devices, like laptops, phones, or tablets. This malware looks for sensitive files stored on your device or synced with cloud services, such as your email inbox or travel folders. If you’ve saved a copy of your passport or visa, the malware can grab it and send it to the hacker.

• Compromised travel websites. Travel agencies, airlines, and visa-application websites are full of personal data. Unfortunately, criminals target these platforms to steal uploaded files like passport scans, visas, and travel itineraries. Once they break into these systems, they often dump all the stolen documents to sell on the dark web.

• Fake travel sites. Cybercriminals create fake websites that look like real airline check-in pages or visa application sites. These phishing websites trick you into entering your personal information and uploading travel documents. Once you submit your sensitive data, the hackers behind the fake site steal it and then sell it.

• Unsecured cloud links. Many people store travel documents on cloud services for convenience. However, if stored improperly, such as using public-sharing permissions (“anyone with the link can view”), these documents become vulnerable. Cybercriminals can use Google dorking (a method of searching for exposed files using advanced search queries) and other techniques to find and exploit these files.

• Physical theft. Lost or stolen passports, boarding passes, or IDs often make their way to dark web marketplaces. Even a discarded boarding pass might contain enough information for someone to exploit. Hackers can scan these items and sell them to criminals looking to commit fraud or identity theft.

Why are travel documents so valuable to criminals?

Criminals value stolen travel documents for several reasons: they are highly profitable and simple to use, require minimal verification, and often contain personal data that criminals can further exploit for identity theft and other crimes. Let’s explore each of these reasons in more detail.

High resale value

Travel-related documents hold significant value on the dark web. Prices vary based on quality, country of origin, and demand. Recent data from the threat exposure management platform NordStellar revealed a great variety of items criminals sell on the dark web:

1. Scanned passports and IDs. Cybercriminals sell scanned passport images for US$10-200, depending on quality, while ID scans go for US$15.

   

2. Full verifiable documents. Genuine passports, driver’s licenses, IDs, and permits are typically sold for prices ranging from US$20 to US$1,800. EU passports rank among the most expensive, costing €5,500 (approximately US$5,830), with a 25% discount for additional family members in “family packages.” According to NordVPN’s Dark web case study, prices vary greatly by country, with Argentinian passports being the cheapest and Czech, Slovakian, and Lithuanian passports tied as the most expensive.

   
   

3. Work visas and sponsorship letters. Some sellers do not publicly disclose the prices for these documents, but they are likely to be expensive.

   

4. Stolen loyalty accounts. Cybercriminals sell airline loyalty accounts with high-mile balances on the dark web for US$35-700. Accounts with 1-5 million miles, like those from Alaska Airlines, sell for top prices of US$700. Criminals also use stolen American Airlines accounts to book business-class flights for US$200 using 200,000-300,000 miles. Hacked loyalty cards with high point balances go for US$20.

   
   
   

5. Fraud manuals. Cybercriminals sell detailed guides for hacking flight and hotel booking systems, known as “Flight & hotel cracking & booking manuals,” for US$150-250.

   

6. EU visa stickers. Cybercriminals sell EU visa stickers on the dark web for €300 (approximately US$350).

   

7. Fraudulent visa services. Some dark web sellers provide fake visa issuance services for €400 (approximately US$464), which allow buyers to bypass legitimate application processes.

   

8. Discounted Booking.com reservations. Travel hackers resell pre-booked trips on platforms like Booking.com at discounts of 40-50% off the original price, typically charging around US$250 per deal.

   

Low verification requirements

Travel documents are a goldmine for criminals because many online platforms rely on relatively weak identity checks. A clean scan of a passport or ID and a selfie is often all it takes to pass verification on websites, financial services, or even travel portals.

Criminals know how to manipulate this system. They combine stolen documents with advanced tools like deepfake technology to mimic the victim’s face. This combination of stolen data and AI-driven deception allows them to gain access to services like opening fraudulent accounts, renting properties, or even booking trips in someone else’s name.

Bundled personal data

When criminals steal one piece of travel data, they often get much more. A single Passenger Name Record (PNR) is a treasure trove of information that can include your full name, date of birth, passport number, email address, phone number, and even emergency contact details.

This package of personal data — often called "fullz" in hacker slang — refers to a complete set of details tied to one person. Fullz is highly valuable because it allows criminals to commit tailored fraud. For example, with your PNR, a thief could potentially book flights under your name, bypass security checkpoints, or tailor phishing emails to seem even more believable.

The more complete the information, the more dangerous it becomes. Criminals can use fullz not only for travel fraud but also to open bank accounts, apply for loans, or steal your entire identity. It’s not just about one stolen document — it’s about how all these pieces combine to magnify the damage.

How to protect yourself from travel document theft

Travel isn’t just about where you’re going — it’s also about how you prepare. By being mindful of your data, you can make it much harder for criminals to steal your information. These steps can help you stay safe:

1. Keep sensitive files secure

Store your documents in encrypted storage or a private digital vault. To keep them safe, turn off public-sharing features in cloud storage.

2. Stay alert for phishing attempts

Always check URLs before entering personal data. If a website for a visa application or airline check-in looks suspicious, don’t proceed. Use NordVPN’s link checker to confirm if the link is legitimate or a scam. Additionally, check official sources and be cautious of emails or messages that pressure you to act quickly.

3. Protect your devices

Install reliable antivirus software on your devices to block malware that could steal your files. Update your operating system and apps regularly to fix security gaps.

4. Use a VPN on public Wi-Fi

Using public Wi-Fi at a coffee shop or airport can expose your data to hackers. A virtual private network (VPN) encrypts your connection to keep your information more secure.

To add an extra layer of safety, Saily’s web protection blocks malicious sites and limits tracking, which is especially helpful when connecting to unfamiliar networks abroad.

5. Monitor your accounts for unusual activity

Check your loyalty accounts, email, and financial statements frequently. If you notice anything unusual, act immediately to protect your accounts and stop further damage.

6. Report stolen or lost documents right away

If you lose your passport, ID, or any sensitive document, report it right away to limit how criminals can misuse your information.

Stay educated and take control of your safety

Traveling should be about enjoying new experiences, not worrying about your identity being sold on the dark web. Cybercriminals rely on people overlooking the risks of sharing and storing sensitive information.

Start protecting yourself today: secure your accounts, use a VPN, take advantage of Saily’s security features, and stay vigilant against travel scams. By staying proactive, you can make it harder for criminals to exploit stolen travel data.

Methodology

The research was conducted by NordVPN and Saily researchers between June 10 and June 20, 2025, using data analyzed through NordStellar, a threat exposure management platform. The dissected information came from dark web marketplaces and hacker forums where stolen travel documents and related data are advertised for sale.

The examined data included listings of passports, visas, loyalty accounts, and booking details, along with their prices. The analysis focused on the availability, pricing, and risks of travel document trafficking to raise awareness and guide travelers in taking precautions.