Threat Intelligence

Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more

Dan Virgillito
August 3, 2021 by
Dan Virgillito

According to Flashpoint’s annual research of the pricing trends seen on dark web marketplaces, a wide gamut of tools and service offerings are available for sale at an affordable cost. Last year’s dark web crime statistics revealed that dark web activity has increased by 300% since 2017. This is encouraging entry-level and intermediate hackers to conduct new attacks.

From ransomware exploit kits and legacy ransomware bundles to tailored phishing pages and RDP server access — the dark web marketplace is thriving as bad actors look for software and programs to commit fraud and cybercrime. 

Dark Web Hacking Tools

Exploit kits for phishing, ransomware and others

During their research, Flashpoint researchers found various types of prepackaged exploit kits being sold on the marketplace. These automated tools allow hackers to first exploit websites and compromise visitors’ browsers to carry out their attacks. Below are the kits getting a regular stream of new listings. 

Ransomware exploit kit

The cheapest among the lot, the ransomware exploit kit allows hackers to exploit known vulnerabilities in applications or systems. A hacker can use them to secretly launch attacks as victims are surfing the web to inject and execute some form of ransomware. Most ransomware exploit kits rely on an array of unique code obfuscation techniques to escape detection. 

Legacy ransomware (bundle of 9 types)

Certain dark web sellers are also offering potent forms of ransomware in a bundle deal. These bundles contain some of the most dangerous file-encrypting malware that has terrorized companies in the past, like SamSam, XiaoBa, Satan, Maniber and more. And besides ransomware, the bundles include tutorials and guides on how to conduct attacks and even exploit specific vulnerabilities. 

Tailored phishing page with tutorial

The name says it all. Hackers get a tutorial for creating a custom phishing page based on their target’s preferences. Victims are redirected to these pages by sending links and provoking them to click on the URLs. The hack intends to steal banking credentials, account passwords and other confidential information. 

Office 365 exploit kit

This is the most expensive exploit kit on the dark web marketplace, and it’s easy to understand why. Being one of Microsoft’s most ubiquitous business products, Office 365 is protected by a range of advanced security technologies that are hard to exploit. As such, kits capable of crippling Office 365 defenses are classified as “premium” and often priced higher than other exploits. The kits typically work by setting up a phishing page or exploiting vulnerabilities in the Office 365 web portal.


The growth of DDoS-for-hire services comes at a time when distributed-denial-of-service attacks are becoming difficult to defend against. Considering how these services are priced (typically in the range of $20-$100 per day based on duration and bandwidth requirements), many hackers can afford to invest in them to cripple the defenses of their target organization.

The upper-tier DDoS-for-hire services include taking down larger websites via custom-crafting, which is necessary due to the widespread use of CDNs and DDoS protection improvements. In terms of popularity, DDoS-for-hire services that charge hourly rates take the top spot. Although booters remain prevalent, the need for customization and real-time support makes subscription choices more attractive to buyers.

Buyers can also purchase advanced DDOS-for-hire services that utilize scripts to bypass private OVH and Cloudflare implementations. And a fully managed package is also available for $165. 

RDP with server access

Remote desktop protocol (RDP) clients and server software are also in demand. Attackers can use them to execute various attacks, including payment fraud, ATOs (account takeover attacks) and remain undetected while conducting their surveillance on security researchers and law enforcement agencies. Here’s a list of RDP clients and server access sold on the dark web.

Bank drop RDP via PayPal

Bank drops, or fraudulent bank accounts made using stolen credentials, have been used to support cash-outs and other fraud schemes in the past. Bank Drop RDP via PayPal is an exploit created using a clean RDP linked to a verified PayPal account. Hackers can use it to bypass the stringiest security measures banks have in place, with the PayPal account acting as a catalyst for account checks and other verification.

Hacked RDP

Some RDP sale items also include compromised RDP, which are predominately ports from infiltrated servers. Hackers can leverage these ports to move laterally across an organization’s network. Ports become vulnerable when they’re left open due to misconfigurations or oversight. And it doesn’t help that companies often leave RDP passwords as standard.

RDP, country-specific

Country-specific RDP can help hackers bypass geo-blocking and carry out attacks on local organizations and governments. Flashpoint pricing analysis revealed that these RDPs go for $26 and are helpful in specific cybercrime groups.

RDP global admin access

 The least expensive RDP on the list is one with global admin access. Hackers can use this to steal the sensitive data of multiple private and public organizations. As the findings from Flashpoint’s research indicate, data like bank logs, payment card information and digital copies of government-issued IDs carry a decent price tag. Hackers can list the spoofed credentials on the dark web or even hold them and demand ransom from victim organizations.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Learning about dark web hacking tools 

As we have seen, the dark web marketplace is home to numerous tools that a hacker can purchase to carry out attacks. The information about dark web hacking tools is extremely valuable for law enforcement and companies who constantly strive to improve their security defenses. Additionally, pentesters can use this list to conduct ethical white hat hacking so that they can see vulnerabilities from a hacker’s point of view and address them before they’re exploited.



  1. Dark Web Marketplace and Cybercrime Pricing EOY 2020, Flashpoint
  2. 10 Dark Web Facts You Need to See Right Now, ID Agent
Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.