The Dynamic Dark Web
It would be easy, or at least easier, if the dark web and the bad actors who play there remained static. If they stood still while cybersecurity companies surged forward with innovative solutions to fight the array of attacks, we wouldn’t be in the predicament we’re in. Unfortunately, it doesn’t work that way. Even as the good guys get smarter, faster and better, the bad guys are innovating just as fast. It’s a cat and mouse game that never seems to end.
In a research report we recently released, Innovation on The Dark Web, we discuss where the criminals are headed next and where they’re slipping up. The third generation of buying and selling on the dark web has emerged. One example of its evolution is exit scamming, now a common theme among seemingly innocent businesses. While they look like typical businesses from the outside, they are run by con artists who scam their own clients by collecting payment for a promised product and then never shipping it. The “company” quickly disappears from the dark market before the perpetrators can be caught, only to set up shop with a new company name days later and repeat the process.
We also point out that the deep web is not the same as the dark web, even though they’re often believed to be one and the same. The deep web is where we (law-abiding citizens) spend most of our time. It’s comprised of common, public websites that require authentication, such as Facebook, Dropbox or any site with password-restricted access. The dark web is where illegal activity is common, and it’s a volatile and dynamic place.
Hidden But Not Invisible
Cybercriminals need a place to work and interact, and dark markets serve as their workspace. Just as with any company, each has a leader. These “executives” believe they are invisible to law enforcement, but they are mistaken. Their identities may be hidden for awhile, but law enforcement is getting better at finding the evidence.
Europol and U.S. law enforcement agencies were able to take down two of the largest darknet markets in Operation Bayonet in 2017. Even with the dismantling of AlphaBay and Hansa, rising criminals were able to take over in new venues, like the r/DarkNetMarkets SubReddit. It appears that as quickly as one dark market is seized, a new market appears, even if it’s the personal market of the fraudster (such as Dread). Examples of how fraudsters worked within Dread are interesting and can be found in the full research report.
Figure 1: Screenshot of the dark net: “Dread” forum
Another example is the rise of the Empire Market, which looks remarkably like AlphaBay and was established after Operation Bayonet discovered its predecessor. The Cryptonia Market is one more new market and is more innovative than ever, offering impressive “trustless” security features, such as required PGP encryption for payments and communications, and wallet-less purchasing for extra anonymity.
Figure 2: Side-by-side of Empire Market and its predecessor, AlphaBay
Not all markets operate with such practices. Nightmare Market, a name that should provide a clue about its intentions, is known to lock users out of their own accounts so they can’t recover funds. Of course, no one is really doing anything about it; the site provides a marketplace for everything from the sale of drugs to counterfeit items so calling attention to issues like account lockout isn’t going to do its customer base any good.
Figure 3: Product Categories on the “Nightmare” market
As many of these markets come and go, it can be challenging for darknet market vendors and customers to know which markets are still valid and which are offline. The FBI seized the Deep Dot Web, the go-to website of updated dark market statuses, confusing things a bit — but not for long. New darknet market service websites popped up, offering real-time statuses and addresses of valid markets.
Figure 4: Screenshot of the Deep Dot Web hidden site after it was seized
The Human Element
The vitality of these markets is a testament to the perseverance of the human will. As long as there is a demand for a product or service, criminals will find a market to fill that demand. But these markets are run by humans and humans make mistakes. A case in point is Alexandre Cazes, the kingpin of the AlphaBay market. He was caught by a simple human mistake: he used an old email address (firstname.lastname@example.org, no less) that he’d already used on a public forum in welcome messages to new AlphaBay Market members. The Justice Department was able to link that email address directly to him, giving them all they needed to charge him with racketeering, money laundering, narcotics distribution and identity theft.
He’s not the only one who thought he’d crossed all his Ts. Silk Road founder Ross Ulbricht once posted his private email address online and posted damning personal details on his LinkedIn profile. Law enforcement approach these cybercriminals the same way they may approach any other criminal: if they wait long enough, the criminal almost always makes a mistake. In these instances, their downfall was leaving digital evidence of their affiliation with the nefarious markets they created.
What We Can Expect
If we’ve learned anything from the cyber world, it’s that you can’t accurately predict what’s next. Innovation goes both ways and no one has clear visibility into each other’s progress. As technology evolves, so too will the criminals’ strategies and security innovators’ solutions.
As far as the dark markets go, we’ve already seen that they can resurface as quickly as they are brought down. The new, third-generation markets may be smaller counterparts of their fallen predecessors, but they’re getting smarter and more secure. They’re offering greater anonymity, making it more difficult for law enforcement to find the players. Thankfully, security leaders are getting smarter, too, using sophisticated methods and technologies to keep pace.