Purpose – Cybercrime has rapidly developed in recent years thanks in part to online markets for tools and credentials. Credential trading operates along the lines of a wholesale distribution model, where compromised credentials are bundled together for sale to end-users. Thus, the criminals who specialize in obtaining credentials (through phishing, dumpster diving, etc.) are typically not the same as the end-users. This research aims to propose an initial methodology for further understanding of how credentials are traded in online marketplaces (such as internet relay chat (IRC) channels), such as typical amounts charged per credential, and with a view to preliminary profiling, especially based on language identification. Design/methodology/approach – This research proposes an initial methodology for further understanding of how credentials are traded in online marketplaces (such as IRC channels), such as typical amounts charged per credential, and with a view to preliminary profiling, especially based on language identification. Initial results from a small sample of credential chatroom data is analysed using the technique. Findings – The paper identified five key term categories from the subset of the 100 most frequent terms (bank/payment provider names, supported trading actions, non-cash commodities for trading, targeted countries and times), and demonstrated how actors and processes could be extracted to identify common business processes in credential trading. In turn, these elements could potentially be used to track the specific trading activities of individuals or groups. The hope in the long-term is that we may be able to cross-reference named entities in the credential trading world (or a pattern of activity) and cross-reference this with known credential theft attacks, such as phishing. Originality/value – This is the first study to propose a methodology to systematically analyse credential trading on the internet.