Image: Credit card © Francisco Cruz, SuperStock

In mid-September, a European hacker nicknamed Poxxie broke into the computer network of a U.S. company and, he said, grabbed 1,400 credit card numbers, the account holders' names and addresses, and the security code that comes with each card.

With little trouble, he sold the numbers for $3.50 each on his own site, called CVV2s.in, to underworld buyers who have come to trust the quality of his goods, he said.

"The main thing in any business is honesty," Poxxie said, without any apparent trace of irony.

The Traverse City, Mich.-based Ponemon Institute, which researches data security, estimates that thieves annually steal 8.4 million credit card numbers in the U.S. alone. How do cyberbandits, who have turned hacking into a volume business, unload all those numbers? A lot like Amazon.com, it turns out.

Customers on CVV2s can search for card numbers by bank, card type, credit limit and ZIP code, loading them into a virtual shopping basket as they go. The site offers the ability to search by bank identification number. That means customers can choose cards by institutions known to have weak security, Poxxie said. CVV2s even has an automated feature that lets clients validate the numbers in real time, to make sure the bank hasn't canceled the card.

Sites like Poxxie's make up the cyber-underworld's version of a pirates cove, offering their online booty at cut-rate prices. Stolen data worth hundreds of millions of dollars are bought and sold in underground chat rooms and forums every year, a fencing operation that becomes more robust annually, according to RSA, the security division of EMC. CrackHackForum.com, one of the sites, even mimics eBay, rating buyers and sellers with starred reviews.

$114 billion a year

Symantec, the cybersecurity firm, estimates that cyberthieves steal data worth $114 billion a year. By comparison, the FBI said the take from all bank robberies in the U.S. in 2010 was just $43 million. The global market in cocaine is an estimated $85 billion, according to the United Nations.

"The problem is getting worse faster than we're getting better," said Tony Sager, the chief operating officer of the Information Assurance Directorate at the National Security Agency, which includes some of the U.S. government's best cyberexperts. "We're not keeping pace."

To look inside the cyberbazaar, to find details on prices and goods for sale, Bloomberg News gathered information through publicly available websites and in restricted forums, aided in this search by cybersecurity experts. Some of the information was provided through online interviews with participants, who protected their real identities as they discussed details of their lives and criminal operations.

How to verify

The cyber-underground thrives because of anonymity: Hackers can devise any persona to conduct business and use a variety of technical tricks to hide their tracks. Their stories were verified to the extent possible by security experts who have watched the careers and methods of specific hackers for years.

As recently as 2008, the fight between those who protect computer networks and those who attack them was about evenly matched. That's no longer the case, according to the cybercops. The defenders are losing the battle because of a combination of their opponents' technical achievements and rapid advances in a global supply chain of theft.

In 2009, Symantec cataloged 2.8 million new viruses infecting computers. A year later, that number had jumped to 286 million. One reason for the hundredfold growth is that sophisticated viruses now change their digital signatures as they infect new machines. Because anti-virus software uses a catalog of known signatures to stop infections, the dominant cybersecurity technology in many cases is useless as a result.

More from Bloomberg: