You're Paying to Be Told You've Already Been Robbed
That's the pitch, stripped down. A dark web monitoring service crawls .onion marketplaces, paste sites, Telegram channels, and closed forums looking for your email address, your passwords, maybe your Social Security number. When it finds something, you get a notification that says roughly: "Your credentials appeared in a breach associated with [Company X], dated [some month you've already forgotten]."
By the time that alert hits your inbox, the data has been circulating for weeks. Months, sometimes. The AT&T breach in early 2024 exposed call and text metadata for roughly 110 million customers, and the stolen records were on ShinyHunters forums before AT&T had even confirmed the incident publicly. The 2023 MOVEit vulnerability (CVE-2023-34362) led to data theft from over 2,600 organisations. Many didn't find out until the Clop ransomware group started publishing victim names on its leak site, which is a hell of a way to learn you've been breached.
The Price Sheet
Privacy Affairs puts out a Dark Web Price Index every year, and the numbers are worth sitting with for a minute. A credit card with CVV: $15 to $80. A full identity package with SSN, utility bill, bank statement: $40 to $100. Hacked Gmail account: about $60. Verified Coinbase account with a balance sitting in it? $610.
Medical records are the premium tier. Name, birth date, SSN, insurance policy, prescription history, all bundled together. A single record can fetch $250 or more. The reason medical data commands that price is that you can't cancel it the way you cancel a credit card. Nobody's issuing you a new Social Security number because some guy in a basement billed a knee replacement to your Blue Cross plan. That data stays useful to the buyer for years.
Then there's the corporate market, which is a completely different animal. Initial access brokers sell VPN credentials, RDP endpoints, and Active Directory accounts to ransomware crews. Secureworks saw a 20% jump in these listings between 2022 and 2023. Prices start at a few hundred dollars for a small company and climb to $50,000+ for admin access to a large enterprise. Consumer dark web monitoring doesn't cover any of this. Not a single provider. Your monitoring service is scanning for your recycled Netflix password while someone else is auctioning off the keys to your employer's entire network, and those two things happen in completely different rooms.
What Your Monitoring Service Isn't Telling You About Its Own Limits
No dark web monitoring provider will tell you what percentage of the dark web they actually cover. You'll never see that number in a marketing deck. The reason is simple: it would be embarrassingly small, and there's no honest way to even calculate it because the denominator is unknowable.
The dark web isn't a database you can query. It's a mess of ephemeral .onion sites, invite-only forums, encrypted Telegram groups, Signal channels, and private Tor services that rotate URLs constantly. Recorded Future, one of the bigger threat intelligence firms, indexes over a million dark web sources. They'd still tell you that encrypted private channels are inherently uncrawlable. If Recorded Future can't see everything, your $15/month NortonLifeLock add-on definitely can't.
So your service catches a credential dump that lands on a popular paste site. Good. But what about the same data when it was sold privately in a 40-person Discord server three weeks earlier? What about the initial access broker who moved your employer's VPN creds through a direct message on Exploit.in? Those transactions happened. Your monitoring service has no idea they happened. And it never will, because the infrastructure to detect them doesn't exist and probably can't.
Alert Fatigue
The average American adult's email address appears in 2 to 3 known breaches, per Have I Been Pwned's data (which tracks over 700 breaches and 12 billion compromised accounts as of late 2024). If you've been online since the early 2000s, you're probably in 10 or more. Run any email address that's been active since the mid-2000s through HIBP and the count climbs into double digits fast. Fourteen breaches for a single address is not unusual.
Here's what happens. You get the first alert and you take it seriously. Change the password, enable 2FA, check your statements. The second alert, you do roughly the same thing but with less urgency. By the fifth alert, you're skimming. By the eighth, you're not even opening them. The alert says a hashed password from some forum you joined in 2017 appeared on a paste site. You changed that password years ago, or the account doesn't even exist anymore. The information is technically accurate and functionally useless.
Some providers try to address this with "dark web exposure scores," which is a concept that sounds more rigorous than it actually is. The idea is to collapse your breach history into a single number, like a credit score but for how compromised you are. NortonLifeLock does it. Experian does it. Aura does it. None of them publish the methodology. There's no independent validation. Whether the number means anything beyond "you've been in some breaches" is genuinely unclear, and nobody in the industry seems motivated to find out.
The Free Alternatives Are Surprisingly Good
Before spending money on this, it's worth knowing what's free. Troy Hunt's Have I Been Pwned. Firefox Monitor, which uses the same underlying dataset. Google's Password Checkup, which is built into Chrome. Apple's password monitoring in iCloud Keychain. All of these check your credentials against known breach databases, and all of them are free.
They cover the most common threat vector: email-and-password pairs from large breaches being used in credential-stuffing attacks. Okta's 2024 State of Secure Identity report put credential stuffing at 24.3% of all login attempts on their platform in Q1 2024 alone. That's not a niche problem. And if your password manager flags a breached credential, the fix takes 30 seconds.
What paid services add on top of this is monitoring for Social Security numbers, phone numbers, and access to additional underground sources. Is the delta between free and paid worth $120 to $360 a year? If you're a normal person with a password manager and 2FA enabled, probably not. And a credit freeze at all three bureaus, which has been free under federal law since 2018, does more to block identity fraud than any monitoring alert ever will.
Prevention Over Surveillance
The core problem with monitoring is that it's structurally reactive. The breach already happened. The data already left the building. You're finding out after the fact, and the question of whether "after the fact" is soon enough depends entirely on what the attacker does with the data and how fast they do it. Sometimes you get lucky and the stolen credentials sit unused for months. Sometimes they're being tested against your bank login within hours of the breach, and no monitoring service on earth is fast enough to beat that.
The boring countermeasures are the ones that actually work, which is a recurring theme in security and one that the industry has a financial incentive to downplay because boring doesn't sell subscriptions. Password manager with unique credentials everywhere. Bitwarden is free and open source. 1Password is $36 a year. Either one makes credential stuffing irrelevant for your accounts, because a leaked password from LinkedIn can't unlock your bank if every password is unique and random.
Two-factor authentication is the second layer. Hardware keys like YubiKey if you want the strongest option. TOTP apps like Authy if you want convenience. SMS-based 2FA if those are your only choices, though T-Mobile alone disclosed eight SIM-swap-related incidents between 2018 and 2023, so SMS isn't exactly bulletproof.
And then there's a part most people skip entirely: how much real information you're scattering across the internet every time you fill out a registration form.
The Registration Form Problem
Think about the accounts you've made in the last twelve months. The newsletter where you gave your email to get 15% off a first order. The fitness app that wanted your name, email, phone, and date of birth. The SaaS tool you trialled for a week and never logged into again. The recipe site that made you create an account just to view a page that should've been freely accessible in the first place.
How many of those actually needed to know who you are?
Not "asked for your data." Needed it. For the service to function. The answer, for most of those accounts, is zero. The form had fields. You filled them in. And now your real name, your real email, your real phone number, and your real date of birth are sitting in some startup's PostgreSQL database alongside 300,000 other users, protected by whatever security practices a 12-person engineering team could afford to implement, which in a lot of cases is "we'll get to that next quarter."
Every one of those accounts is a future breach surface. You can't predict which ones will get hit. What you can control is whether the data in those rows points back to the real you.
Synthetic identities solve this at the source. A generated name, a disposable email address, a phone number that doesn't connect to your real life. The service gets a valid registration. You get your trial or your discount or whatever it was. And when that database shows up on a dark web marketplace in 2028, the stolen record describes someone who doesn't exist. There's nothing to monitor because there's nothing real to protect.
Another.IO builds these profiles with fields that hang together, postal codes that match the city, national ID formats that pass validation, phone numbers with correct country prefixes. Not placeholder junk that gets rejected by the first regex check on the registration form. Usable profiles that simply don't correspond to an actual person.
Sorting Your Accounts Into Two Buckets
The practical approach is simpler than most security advice makes it sound.
Bucket one is the small set of accounts where your real identity is unavoidable. Your bank. Health insurance. Government portals. Employer systems. Your primary email. Maybe 10 to 15 accounts total. Protect these with unique passwords, the strongest 2FA you can manage, and if you want, a credit freeze or monitoring service.
Bucket two is everything else. Shopping sites, content platforms, forums, mobile apps, SaaS trials, newsletters, loyalty programmes. This list is usually five to ten times larger than bucket one, and none of it needs your real name or your real anything. Use synthetic identities. Use email aliases through SimpleLogin, addy.io, or Apple's Hide My Email. Fill the forms with data that works but doesn't matter.
Bucket one gets hardened. Bucket two gets insulated with fiction. A breach in bucket two costs you literally nothing: no password to change, no credit to freeze, no anxiety, no time on hold with a fraud department. The person in that database was never real, and you can go about your day.
That's a better position to be in than staring at a monitoring dashboard waiting for the next alert about something that already happened, to data you already can't take back, from a service that already can't tell you the full extent of the damage. You're not going to out-monitor the problem. But you can starve it of real data until there's almost nothing left worth stealing.