This is sufficiently-well established presently that it's almost hard to find specific documentation as it's largely accepted fact. I'm finding few hits post-2019, so it's possible that data practices have improved.
WNYC's On the Media carried several interviews with a documentarian filming Alexy Navalny as Navalny and the documentarian team identified Navalny's (initial) would-be assassins, including various FSB agents. They specifically targeted a person they'd think might have weak opsec, a scientist directly engaged in producing nerve agents (novichok IIRC). His core competence was chemistry rather than spycraft. The documentary team included a former Bellingcat investigator:
Brooke Gladstone: In the months following Navalny's poisoning, Christo Grozev, former lead Russia investigator at Bellingcat, was stuck in Vienna with filmmaker Daniel Roher. The two had just been booted from Ukraine where they had been trying to film an investigation. Now Grozev had lots of time on his hands and a laptop and a fresh stack of data from the Russian black market....
Christo Grozev: When we were looking at the Navalny poisoning, we thought, "Well, they must have used the same scientists. They can't have hundreds of scientists who do this. This has to be kept top secret. These people have to take the risk to manufacture this toxin." I started looking at the phone records of these scientists, and we bought them on the Russian markets where you can buy absolutely any kind of data.... [Navalny's people] provided the data of how Navalny had traveled to what locations. I matched it to the known travel data of the poisoners and spies. We saw this pattern, essentially a group of six to eight FSB poisoners had been tailing him for more than four years to a total of 66 different towns and cities.
<https://www.wnycstudios.org/podcasts/otm/episodes/revisiting...>
Other general coverage (searching "russia black market data"):
"Russian data theft: Shady world where all is for sale" (26 May 2019)
According to cyber-security experts, vast quantities of supposedly private data - including from Russian state institutions - are bought and sold every day....
<https://www.bbc.com/news/world-europe-48348307>
And for a long time. From 2009:
Goldmine of black market in Russian data
Gorbushka Market, just outside central Moscow, does a thriving trade in any electronics good you could want: mobile phones, plasma television sets, the latest DVDs, and, if you ask to see them, software peddlers will show potential clients a list of “databases”.
These consist of CDs with names such as “Ministry of Interior – Federal Road Safety Service”, “Tax Service” and “Federal Anti-Narcotics Service” and cost about $100 apiece. Each contains confidential information gathered by Russian law enforcement or government agencies: anything from arrest records, personal addresses, passport numbers, phone records or address books to bank account details, known associates, tax data and flight records are on offer...
<https://www.ft.com/content/07dedd34-d921-11de-b2d5-00144feab...>
Archive: <https://archive.is/UPPHK>
And 2005:
"In the stolen-data trade, Moscow is the Wild East"
<https://web.archive.org/web/20050708015611/http://www.globet...>
Adjacent article on Bellingcat OSINT generally (2024), though nothing on black markets:
"The forensic empire that is Bellingcat"
<https://www.theprojectcounselgroup.com/2024/06/19/the-forens...>