A growing threat scenario for IT security managers
International mobility has increased significantly in recent years – and with it the threat to digital identities from targeted cyber attacks. A recent analysis by NordVPN and Saily highlights the alarming scale of this trend: travel data is now one of the most sought-after commodities on relevant dark web forums and marketplaces. This creates a relevant risk area for IT departments, especially in security-critical industries, which directly affects not only private individuals but also companies.
Dark web economy: Identity data as a lucrative commodity
The threat analysts’ survey is based on an investigation of active offers on the dark web between 10 and 20 June 2025. Various categories of digital travel documents – from simple passport copies to complete frequent flyer accounts and fake visa stickers – were examined for availability and market prices. The results paint a clear picture: prices starting at 10 US dollars (approx. 8.50 euros) are already being paid for rudimentary passport scans. Buyers sometimes pay more than 5,000 US dollars (around 4,300 euros) for verified, biometrically readable EU passports. At the same time, prices are rising for compromised frequent flyer accounts, booking data from platforms such as Booking.com, and digital receipts for stays and payments that can be misused for identity theft or credit fraud.
New trends are also emerging: frequent flyer accounts with high reward values are being sold in bundles, often with complete login details, security questions and email addresses. This information can not only be monetised, but in combination with travel data, it provides an ideal basis for social engineering attacks, for example to manipulate company trips or prepare targeted phishing campaigns against field staff.
Attack vectors: From compromised devices to forgotten boarding passes
The ways in which travel data falls into criminal hands are diverse and increasingly professionally orchestrated. Malware-based data theft remains at the forefront of attack techniques: mobile devices, especially those with inadequate protection or no MDM management, are becoming a gateway for accessing sensitive documents. Cloud storage with publicly accessible folder structures, often without sufficient rights assignment, also offers potential for attack.
Added to this are targeted phishing campaigns that use deceptively genuine-looking check-in portals, visa registration pages or Wi-Fi access points. These sites request selfies with ID or biometric features, which are then used for deepfake-based verification circumvention. The increasing availability of generative AI tools significantly lowers the barrier to entry for such attacks. At the same time, physical travel documents – such as carelessly discarded boarding passes – continue to be collected in a targeted manner, for example at airports, in hotels or in public spaces.
Digital identity theft with maximum leverage
The appeal of stolen travel data for cybercriminals stems from a particularly unfavourable ratio between effort and potential gain. Travel documents usually contain all the elements necessary to create trustworthy digital identities: full name, date of birth, passport number, nationality, emergency contacts, telephone numbers and often professional affiliations. When combined with additional information obtained through social engineering, this creates a profile that can be used not only for identity theft, but also for fraudulent account openings, credit applications or targeted attacks on company accounts.
Misuse through deepfake or face swap technologies is particularly problematic. More and more platforms only require a combination of a passport scan and a face photo for identity verification – a hurdle that tech-savvy attackers with the right equipment can easily overcome. The result: attackers can gain access to digital services, take over accounts or bypass authentication processes without physically compromising the person concerned.
Security implications for companies with mobile employees
From the perspective of IT departments and security managers, this presents a twofold challenge. On the one hand, mobile devices and travel documents belonging to employees must be better secured – especially when business trips involve crossing borders or accessing critical infrastructure. On the other hand, the threat situation requires comprehensive security awareness among employees themselves, particularly when dealing with emails, travel booking platforms, hotspot connections and cloud storage.
The study recommends a combination of technical and organisational measures. Documents containing sensitive personal information – such as passports, visas or booking confirmations – should always be stored in encrypted digital safes, not in freely accessible cloud services or email inboxes. Phishing prevention is just as important as the widespread use of antivirus solutions, VPNs for public networks and regular checks of travel, financial and bonus accounts for unauthorised access.
Prevention through awareness and control
In addition to technical security, the human factor remains crucial. According to Vykintas Maknickas, CEO of Saily, a healthy scepticism when dealing with digital requests is a central element of modern security architecture. This is because phishing campaigns today are designed with personalised, context-sensitive information that appears authentic and can only be recognised by conscious questioning.
Employees should therefore be able to independently verify suspicious requests – for example, via alternative contact channels, central IT departments or dedicated security officers. Marijus Briedis, CTO of NordVPN, also emphasises the need for an integrated protection concept:
‘The combination of technical protection, awareness measures and active control – such as monitoring tools for suspicious account activity – is essential for detecting and containing abuse at an early stage. Travel documents are no longer static information, but digital keys to far-reaching attack scenarios.’
Conclusion: Travel data – an underestimated risk in security management
The results of the study by NordVPN and Saily clearly show that the trade in travel documents on the dark web has become more professional, demand is rising and attack techniques are constantly evolving. For IT security managers, this means integrating the protection of mobile identities and travel data more closely into their own security strategy – especially in companies with international teams. Only through a combination of technological prevention, employee awareness and continuous monitoring can the risks in this sensitive area be effectively reduced.
Further information on the complete analysis can be found on the NordVPN website: nordvpn.com/de/blog/nordvpn-studie-reisedokumente
