A newly-proposed cybercrime service is promising to turn stolen data from ransomware attacks into a more profitable commodity, raising fresh concerns about whether hackers could begin systematically exploiting at scale the enormous volume of personal information they have hoarded.

Advertisements for Leak Bazaar are appearing across multiple criminal forums on the dark web, with the service soliciting customers and affiliates. As described in a recent blog by cybersecurity company Flare, it pitches itself as something closer to a data-processing business than a typical hacking or ransomware-as-a-service operation. 

Like a legitimate data processing enterprise, Leak Bazaar’s goal is to take vast, messy datasets stolen in cyberattacks and turn them into structured, searchable intelligence that can be sold or used for extortion.

“This is effectively an e-discovery service for stolen data,” said Tammy Harper, a researcher at Flare and the author of the company’s blog post.

The idea speaks to longstanding fears among law enforcement officials and cybersecurity experts who have been tackling the ransomware ecosystem.

While attackers routinely steal enormous volumes of information — corporate secrets, financial records and personal data — much of it is never fully used except as collateral for extortion.

“The disruption of LockBit proved that the groups didn't delete the data when they promised that they did,” said Will Lyne, the head of economic and cybercrime at London’s Metropolitan Police Service who previously worked on the U.K. National Crime Agency’s LockBit operation.

“That shows the threat actors know it has value. I always thought it possible for cybercriminals to exploit data obtained in ransomware operations — that it could become a viable business model. There are vast quantities of largely unexploited data available,” Lyne added.

Leak Bazaar represents an attempt to unlock that value by processing stolen data into something more targeted and potentially more harmful.

Lyne said the risks fall into three main areas: giving attackers more leverage to pressure companies into paying, enabling follow-on crimes such as fraud and business email compromise and, most concerningly, allowing criminals to directly extort individuals by threatening to publish sensitive data unless they pay.

That final scenario of criminals contacting individuals directly using sensitive personal information has long been discussed but rarely observed at scale. More structured datasets could also make it easier to carry out targeted phishing or fraud.

“So then the question becomes: what do you do with all this data?” said Harper. “A lot of it ends up being useless. These services are trying to filter it, package it and make it more relevant, so the quality of the leak actually increases.”

According to Harper, the model reflects broader changes in the ransomware ecosystem. As law enforcement pressure has disrupted major groups, the landscape has fragmented, with more actors entering the space and experimenting with new ways to make money.

“They’re trying to maximize extortion,” she said. “The debate has always been what works best — locking systems or stealing data. And the answer is: it depends on the victim. What hurts more?”

That experimentation has led to growing interest in how stolen data itself might be monetized — not just used as leverage in negotiations, but processed and reused.

Issues with scale

But whether personal data is the key to that shift remains unclear. Despite the scale of data theft in ransomware attacks, there is limited evidence that criminals systematically exploit personal information at scale. Most experts believe such personal extortion runs counter to the economics currently driving the ecosystem.

“I don’t actually see huge criminal monetization risks from personal data in this context,” said Jamie MacColl, a researcher at the Royal United Services Institute who in 2024 published a paper detailing ransomware harms. “Attackers are much more interested in corporate data, things they can use for extortion or to gain access to other systems.”

That preference reflects the underlying economics of ransomware. Rather than extracting maximum value from each dataset, most groups operate on volume, targeting large numbers of victims and accepting that only a fraction will pay.

“It’s about achieving scale and having access to enough victims,” MacColl said. “They operate on the basis that they won’t succeed every time, but if they succeed 20 percent of the time, that’s still tens of millions of dollars.”

“It just doesn’t really fit with the operating model to spend time analyzing individual datasets in depth,” he added.

Harper points to the same economic constraints from a different angle: the sheer effort required to extract value from stolen data.

“It’s a lot of work,” she said. “You have to get access, find the valuable data, exfiltrate it, and then actually carry out the extortion. And even after all that, you might not get paid.”

Failed negotiations are common, she added, leaving groups with large volumes of stolen data that are costly to store and difficult to monetize.

“That’s where these services come in,” Harper said. “They’re basically offering to go through the data, reduce the noise and make it more targeted.”

If that approach proves viable, researchers say it could change how stolen data is used and increase the harm caused by breaches. But they say there are reasons to doubt the model will take off.

“The only way I can really see this driving a significant market is if criminals’ current ways of making money start to fail,” MacColl said. “Most criminals are going to keep doing the lowest-effort activity that generates the greatest return. And right now what they’re doing is still working pretty well.”

There are also practical barriers. Even with the advances offered by new AI technologies, processing large datasets requires infrastructure, computing power and bandwidth, all of which are expensive.

And unlike traditional cybercrime markets, where buyers can test stolen credentials, a service like Leak Bazaar would require a higher level of trust between participants in an inherently untrustworthy ecosystem.

“Why go to all the bother if you can make more money more easily with what is currently available within the ecosystem?” Lyne said.

For now, the concept remains largely unproven. Harper said the real test will come when the service produces its first demonstrable case, showing not just that data can be processed, but that doing so leads to meaningful returns.

“What we’re waiting for is the first victim,” Harper said. “That’s when we’ll see what this actually looks like in practice.”

Until that point, Leak Bazaar heralds ongoing experimentation in the cybercrime ecosystem, even if the factors driving the current cybercrime economy don’t suggest a major need to maximize returns from data stolen in extortion attempts.

“Do I think it will take over? No, not necessarily,” Lyne said. “But it feels like it’s coming.”