The online market of forged identity documents is quickly evolving. Sellers of these documents operate both on the surface Web and on the deep Web, specifically in ‘Onionland’, thanks to the typical features of the internet; anonymity, gaps in the legislations and the absence of a real tangible distance in cyberspace create an environment that provides several advantages to fraudsters. In this article, Marco Romagna analyses and explains the techniques that online sellers of forged identity documents use to get in contact with clients. It is a synthesis of a wider project conducted between June 2013 and January 2014 that studied the whole organisation and the methods used.

The market has been studied with a criminological approach, mainly using virtual ethnography. The analysis was conducted on the surface Web and on a part of the deep Web that is called ‘Onionland’. While the former is the part of the Web which most people use routinely, the latter may need some further explanation. 

Onionland is part of the deep Web, that portion of the Web made of dynamically‑generated internet contents that cannot be accessed by a link crawling search engine such as Google.1 Onionland is a dark net, a sort of parallel Web, which can only be reached with the use of a specific software called Tor. Tor, an acronym for ‘The Onion Router’, was originally designed and implemented by the US Naval Research Laboratory.
Its primary purpose was the protection of government communications. Although still used by the military, Tor is nowadays employed for a wider variety of reasons by ordinary people, journalists, law enforcement officers, activists, criminals and many others. It is a network of virtual tunnels that allows people and groups to improve their privacy and security on the internet and to remain anonymous. This is the main reason why Tor became so successful (there are a few million users connected every day) and why it is also a perfect place for illegal activities. 
During the research 50 websites and blogs that produce forged identities were analysed, and 65 vendors were contacted through email. An important source of information was the forum ‘’ where hundreds of posts and comments linked to the market were analysed. 

Sellers on the cybermarket
The profiles that emerged from the research showed significant differences. It was possible to isolate three main types of sellers:  
• Group A: Website owners: sellers who manage a website or a blog which is used as an   online shop. They are present both on the surface Web and in Onionland.
• Group B: Email sellers: sellers who spam forums with advertisement to publicise their products. They are massively present on the surface Web, but rare in Onionland. It is highly likely that 85% of this group are scammers and ‘con artists’.
• Group C: Onion vendors: vendors active in Onionland who use dedicated illegal markets, such as Black Market Reloaded, Silk Road and Sheep, or specific forums.

Group A: Website owners on the surface Web
The website owners active on the surface Web usually work in a team. Every member of the team has a specific function: managing the website, sourcing the materials for the products or creating the forged documents. It is likely that these websites are built in offshore servers or in Eastern European or Far East countries, where the criminal legislations are weaker. Websites and blogs are built up in a similar way: the homepage presents links to products, prices, contacts and FAQ. Sellers deny any responsibility for the production and commercialisation of forged identities, arguing that the documents are just for fun, without any unlawful intention, and that they should not be used for illegal activities or as genuine documents.
Payment methods and prices
Discounts are often offered if the client buys a special deal such as ‘the full identity package’: an identity card, a passport and a birth certificate (although the products can vary). There are different methods of payment depending on the seller: cash, cheques, bank transfers, credit cards and Western Union or an equivalent are accepted, but also PayPal, Ukash, MoneyGram or even Bitcoin. Upfront payment is the rule, which can vary from 15% to 60% of the total amount. This is justified as cost for materials, machines and bribery. Since the upfront payment is often an indica-tion of a scam, some sellers follow a scheme directed to gain the trust of the client. First they take the order, after which they send a video that shows the creation of the requested document. When the trust of the customer has increased they ask for the upfront payment. 

Many websites claim to be able to provide any identity document, but their reliability is really low. Others are instead specialised in particular products:
• American driving licences: USD 200 – 230;
• American IDs: USD 20 – 130;
• IDs and driving licences of European countries (mainly Germany, Italy, France, Spain and The Netherlands) and English‑speaking countries (United Kingdom, Australia,
New Zealand and Canada): EUR 100 – 150.

Some websites specialise in passports. In general they claim to be able to provide both counterfeit passports (which they call ‘fake’) and original ones. A fake passport has a low quality: the buyer receives a copy or a scan of a genuine passport, which can be used to purchase products on the Web or to prove an identity when it is not necessary to physically show the document. Forgers speak about ‘original’ documents when they claim to be able to provide a passport with all the standard security features and which is registered in a national data-base. This product is more expensive, but it should provide the possibility to travel and to pass security controls. 
Passport scans or replicas cost EUR 200 – 300. For a supposedly genuine one vendors ask EUR 3,500 – 4,000 (Indonesian) up to EUR 12,000 for a passport from the United Kingdom, but prices can go up to EUR 70,000 for a diplomatic passport. Prices depend on the chosen nation: the European countries are the most expensive. 
Some companies also provide non‑ existent documents and consequently scam the client. Examples are the ‘European identity card’ or the ‘European work permit card’.2

Group A: Website owners in Onionland
The sellers of Group A in Onionland are organised slightly differently than on the surface Web. First of all, sellers in Onionland ask clients to register themselves on their website with a username and a password. Secondly, without the registration, it is impossible to get access to the full contents of the website and to contact the seller directly. Thirdly, all the companies seem to specialise in selling only a limited number of documents, for instance only passports from a small group of selected nations. The only accepted payment method is Bitcoins. Passports are the main documents available: the website ‘Onion Identity Services’ sells Canadian passports for USD 2,500, Dutch ones for USD 3,150 and a passport from the UK costs USD 4,000. For the identity cards or driving licenses the amount varies from USD 200 – 1,000.

Group B: Email sellers
Email sellers are involved in verbal fights in forums and websites such as This ‘war’, using techniques of social engineering, is made by fake and real feedback written, on the one hand to gain the credibility and the trust of the clients, and on the other to destroy the reputation of the competitors. The analysis of the wording shows that the contents and approaches are always the same: the seller affirms his abilities and long experience in the field, meanwhile warning the client of the risks of dealing with other retailers.
The products offered by email sellers range from pass-ports to identity cards, from driving licenses to birth certificates, for every nationality. Sellers claim to be able to provide copies, new identities and tampered/used documents belonging to other people. In the latter case only the photo and the data physically printed on the passport are replaced, while the information on the chip is still the one of the previous holder. These documents can be safely used as long as they are not verified with a machine reader.
Other vendors claim to produce e‑Passports, registered in the database of the issuing country. They assure to work with groups of hackers who are able to break into a system and modify the database. Nonetheless, it is highly unlikely that they are able to modify public and secured databases in a short period of time, considering that their delivery time is two to seven days. 
All sellers provide email addresses, telephone numbers (usually numbers in Western Africa) and Skype contacts. Some email sellers are active on Facebook and YouTube.
The price for a genuine passport ranges from EUR 500 – 2,500, while for a fake one the price lies between EUR 500 – 900. Identity cards and driving licenses are cheaper, up to EUR 600.

Group C: Onion vendors
The final group is represented by onion vendors who mainly use dedicated markets in Onionland, such as Silk Road or Black Market Reloaded. They also place their advertisements in other forums where it is possible to buy weapons, drugs and stolen credit cards. What are the differences with the other groups?
First of all, onion vendors must register themselves on the market in order to be able to sell a product. They can choose to be ‘vendors & purchasers’ or only vendors, but unlike the purchasers (who must be registered as well), vendors immediately have to pay a fee in order to rent the ‘advertising space’. 
Secondly, they are limited to a set of internal self‑made regulations that help to build trust with clients. The customers and the other vendors can use their social control by denouncing fraudsters or unreliable sellers, while the owners of the market can exercise a formal control useful to reduce the risk of opportunism. The consequences for failure to comply with the regulations can be the immediate expulsion from the website. It is difficult to say how strict the website controls are, but these policies are likely to be important for the platform itself: the other sellers have all the advantages to stop a fraudster, particularly if they want to keep an open market where clients feel safe. It is a way to maintain trust based on reputation.
Finally, and most importantly, there is a system of feedback. Customers can leave comments in which they describe both the quality of the product and of the vendor.

Like other groups active in the Dark Net, the onion vendors are also characterised by the limited variety of the products sold: vendors only provide some specific documents limited to a small number of national-ities. There is usually an accurate description of the document, how it can and cannot be used.
The prices of the market are a bit higher than the ones on the surface Web. A scanned ID can cost up to EUR 500, while for a genuine passport the amount rockets to several thousands. It is possible to contact the vendor privately or to use the public board on the market. It seems there is a prevalence of independent and acting‑alone sellers, whereas specialised teams were not encountered. While on the surface Web the retailers often mention where the products come from, onion vendors never mention their contacts.

The cybermarket for forged identity documents is quickly evolving, thanks to the typical features of the internet; anonymity, gaps in the legislations and the absence of a real tangible distance in cyberspace create an environment that provides several advantages to fraud-sters. It is possible to conclude that a high percentage of the sellers, around 70%, are probably scammers who are unable to provide any identity document. Nevertheless, a number of vendors in category A) and a large percentage of the sellers who operate in Onionland are more ‘trustworthy’. It is highly likely that they can provide the requested products. This market is a means to conduct an activity that has its roots in the physical world, and chances are high that it will become a problem for law enforcement agencies. Vendors can easily disappear when they feel hunted and they can quickly create a new website or new market. This risk is increased by the fact that legal control is extremely weak in Onionland. 

1 Deep Web search and Dark Web search – similar names; major differences! Bright Planet (2012).

+ posts

Marco Romagna is a cybercriminologist and expert in the field of cybercrimes and Internet law. He has an LL.M. (Trento University) and an MA in Global Criminology (Utrecht University). Marco collaborated with eCrime (the research group on ICT, Law and Criminology of Trento University), with Cardenal Herrera University in Valencia and with the Cyber Security Academy in The Hague. He is currently an intern in the Case Analysis Unit at Eurojust, the EU agency dealing with judicial cooperation in criminal matters.

Previous articleKeesing Journal 48
Next articleFastpass