Even if they may not be able to really do anything about it, children are not immune to identity theft. A data broker on several dark web marketplaces is currently advertising stolen personal information relating specifically to children, according to a researcher and online posts reviewed by Motherboard.

The data allegedly comes from hospitals and paediatricians, according to posts from the broker on the dark web markets Dream and Empire. Emily Wilson, VP of research at cybersecurity firm Terbium Labs first alerted Motherboard to the data listings. Dream is likely the largest dark web market online at the moment.

“For very young children it's reasonable to assume criminals are sourcing the data through access points in hospital networks or government systems. In this case, the vendor is explicit about the hospital connection,” Wilson told Motherboard in an email.

The broker markets the data as a set of “fullz”; that is, full information on someone’s identity, or at least a significant enough moment to commit some form of fraud with it. The listings say the child’s data includes their name, address, phone number, date of birth, and Social Security Number (many parents apply for Social Security Numbers for their newborns, which the federal government recommends.) Each set of data costs $10 each, or $790 for 250 fullz, or $490 for 250, depending on which market a fraudster might buy from.

Caption: A screenshot of one of the listings from the Dream marketplace. Image: Screenshot.

One listing says the data impacts people born between 2000 and 2010, meaning children between the ages of 8 to 18 years old, although as Wilson points out, there is some discrepancy: one image included in a listing says the fullz stretch from 1900-2010. It is not clear if this is mistake on the broker’s part.

As for what a fraudster may actually want to do with this data, “For the children impacted by this listing (with birth years between 2000-2010), most of them won't be opening lines of credit for another five to ten years—plenty of time to do some serious financial damage,” Wilson said. “In the listings, the vendor also notes that these children ‘generally speaking come from good families who can provide [and pay for] medical support.’”

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In January, Terbium Labs separately found another vendor peddling so-called “infant fullz.”

“When we're talking about infants or very young children, the number of possible sources for data is fairly limited: governments and hospitals, in most cases. As children get older, their data starts to enter the system more broadly, through school registrations and other activities,” Wilson said.

Maybe it’s time to have that conversation about the big bad world of cybercrime a little bit earlier.