Cybercrime: Darknet Markets Live on, Even as Players ChangeWhile Some Big Markets Have Retired, New Players Compete for Dominance, Experts Say
Eleven years after the launch of the pioneering Silk Road online black market by Ross "Dread Pirate Roberts" Ulbricht, new generations of underground markets have continued to sell illicit substances, malware, firearms and more online, oftentimes via darknet sites.
Darknet market administrators, buyers and sellers, however, continue to face numerous challenges, including the threat of arrest. But while individual darknet markets come and go, the business model seems to not just be continuing to exist, but to remain thriving.
"There are two main reasons here: the lack of alternatives and the ease of use of marketplaces," researchers at threat intelligence firm Digital Shadows have said when explaining why darknet markets persist.
Darknet markets refer to sites, generally only reachable via the anonymizing Tor browser, that offer "a wide variety of goods, products and services by - and to - cybercriminals," says Victoria Kivilevich, director of threat research at Israeli cybersecurity firm Kela. But she says that it's important to differentiate between two dominant types: drug-focused markets and those offering "cyber-related stuff, such as logins, databases, malware, so on."
Online alternatives for both exist. Would-be darknet market buyers and sellers can always try to take their business elsewhere - for example, to use encrypted messaging applications. But what's on offer from markets appears, for many, to continue to outweigh the downsides of using them. Upsides include their serving as a centralized location for buyers and sellers to connect, ratings for sellers and goods that help guide buyers and root out scammers, and markets offering to hold funds in escrow until orders get fulfilled, as well as dispute-resolution services.
One of the most long-standing and popular darknet markets remains Russian-language Hydra, which does not welcome non-Russian speakers or anyone not located in or around Russia.
Many other non-regional markets, however, continue to come and go, and the reasons can vary, as blockchain analytics firm Elliptic has highlighted in its research report: "Why are billion-dollar darknet markets retiring?"
Multiple big markets have exited in the past 12 months, oftentimes after years of operation. They include:
- Carding site Joker's Stash - 2014 to January 2021;
- General-purpose White House - February 2019 to October 2021;
- Cannabis-focused Cannazon - March 2018 to November 2021;
- General-purpose and drug market Torrez - April 2020 to December 2021;
- Carding site UniCC - 2013 to January 2022;
- UniCC-affiliated site Luxsocks - May 2014 to January 2022.
But numerous other darknet markets new and old persist, including Bohemia, MGM Grand, Tor2door, World Market and a rebooted AlphaBay, among others.
Why Darknet Markets Disappear
Elliptic identifies five reasons why market administrators typically exit the scene:
- Rich: They've made so much money, they can retire.
- Risk: The perceived risk of arrest gets too great.
- Extortion: Market operators regularly get shaken down by cybercriminals, including via distributed denial-of-service attacks, unless they pay the equivalent of online protection money, aka a ransom.
- Personal: Administrators sometimes cite a change in circumstances, such as their health.
- Arrest: Administrators can and do get identified and arrested, and their markets get taken over or disrupted.
Another cause of darknet markets going dark has been exit scams. Again, many active markets offer escrow systems, to ensure that buyers and sellers don't get defrauded until orders get fulfilled. But with a market sometimes holding cryptocurrency worth millions of dollars in escrow, many administrators have historically opted to abandon their sites, exiting with all of the bitcoins, monero and other digital currency.
Elliptic, however, notes that at least in the past six months, for whatever reason, exit scams appear to have been less common than before.
'We Are Not Young'
Some markets may seemingly disappear for more than one reason. Last month, the anonymous administrator of UniCC, which was then the world's biggest market for stolen payment card data following the retirement of Joker's Stash, announced its own retirement in a forum post. "We are not young and our health do not allow to work like this any longer," it read.
By all accounts, the site had been very successful. "UniCC has been active since 2013, and it has received cryptocurrency payments over that period totaling $358 million across Bitcoin, Litecoin, Ether and Dash," Elliptic said in a report at the time. "Tens of thousands of new cards were listed for sale on the market each day, and it was known for having many different vendors - with the fierce competition keeping prices relatively low."
Shutting down in this type of orderly manner is known as "sunsetting" or "voluntary retirement," David Décary-Hétu, a criminologist at the University of Montreal, told the BBC.
"Right now it seems to be happening more," he said. "Markets gracefully exit and say, 'We've made enough money, and before we get caught, we're just going to retire and go into the sunset.'" That's aided by bigger markets, such as Torrez, having earned their administrators $100,000 per day - or more - via commissions received on every transaction, he added.
Darknet Markets: Healthy Outlook
But with at least six major markets having ceased operations in the past year, does this mean that darknet markets themselves are on the way out?
"We believe that these last two years did not change the markets' landscape radically," Kela's Kivilevich says of cyber-focused darknet markets. "Several big markets closed, with UniCC being the last example; however, new ones continue to appear."
One market's exit remains another's opportunity. "When a market is closed, its users are actively searching for alternatives, while competitors promote themselves eager to fill a niche," Kivilevich says. When Joker's Stash bowed out, for example, UniCC made a bid for its customers and subsequently appeared "to have received significant profits," she says.
Overall, she says the direction of travel continues to be toward what's known in the darknet community as "autoshops," referring to sites that sell goods and services in a highly automated manner. Kela refers to the selling of not just goods but also services and outcomes via highly automated and dedicated sites as "servitization," which is "aimed at aiding the cybercrime business to grow at scale," Kivilevich says.
More sites are being built with this approach in mind, and "we expect this trend to continue," she adds.
One example is log marketplaces, which sell batches of information - such as payment card data, credentials for cryptocurrency wallets and passwords saved in browsers - in individual units, each known as a "bot." Occupying the upper end of the market is Genesis, followed by Russia Market, and another site called 2easy debuted more recently. All are designed to make it easy to buy and sell bots in a highly automated manner (see: Buying Bot-Stolen Logs: Marketplaces Make It '2easy').
Russia Arrests Alleged UniCC Admin
But that doesn't mean running or selling via a darknet market is a surefire way to retire early.
For example, despite a UniCC administrator citing health reasons for bowing out, Russian news service Tass first reported on Jan. 22 that not long after that post, Russia's Federal Security Service, the FSB, arrested the market's alleged administrator, Andrey Sergeevich Novak, and placed three alleged criminal hacking accomplices under house arrest.
At about the same time, a market affiliated with UniCC, called Luxsocks, also went offline, with its site now resolving to an apparent takedown notice posted by Russia's Ministry of Internal Affairs, Elliptic reports.
Whether the alleged UniCC administrators knew of the FSB's interest in their activities before the site's retirement announcement - and whether they may have also been involved in Luxsocks - isn't clear. But Tass reports that all four suspects are facing two charges under Russia's criminal code: "Illegal access to computer information" (Article 272) and "Illegal circulation of means of payment" (Article 187).
Novak is also wanted by U.S. authorities and has been indicted for being an alleged founder of the Infraud Organization, a financially focused cybercrime syndicate disrupted in 2018, with prosecutors tying it to $530 million in losses. Russia, however, never extradites its citizens.
Increasing Tempo of Cybercrime Disruption
News of the four suspects' arrest came one week after the FSB arrested 14 individuals suspected of working with the REvil - aka Sodinokibi - ransomware operation.
Whether the arrest of more alleged cybercriminals, including market operators, might follow remains to be seen. But the threat of arrest remains real for all concerned, and sometimes occurs months or even years later.
Law enforcement agencies can patiently amass intelligence on everyone involved, allowing them to eventually unmask the likes of Silk Road's Ulbricht, who was arrested by the FBI at a San Francisco library in 2013. AlphaBay then became the world's dominant darknet market after its launch in December 2014. But it too was shut down by the FBI in July 2017, at the same time the Canadian citizen who ran the site from Thailand was arrested.
Information gleaned from the takedown of darknet markets feeds further investigations. This week, Canadian national Slava Dmitriev received a three-year sentence after pleading guilty in a U.S. courtroom last year to trading in stolen personal information as well as interacting with The Dark Overlord hacking and extortion group. Prosecutors accused Dmitriev of netting at least $100,000 by trading in stolen identity information, including Social Security numbers, via AlphaBay.
Dmitriev was arrested in September 2020 while traveling in Greece and extradited to the U.S. in January 2021. The U.S. Department of Justice says the charges against him include activities dating from at least May 2016 through July 2017.
This demonstrates a risk posed by darknet markets for all concerned: While they might in the short term facilitate the online buying and selling of illicit goods, with administrators earning fat commissions, is operating or using them worth the long-term risk?
So far, the steady influx of new players and the variety of sites on offer suggest that some remain willing to take that chance. "Darknet markets remain highly lucrative enterprises and if anything, the retirements could give operators the confidence that they can operate a successful market and make their fortunes - without being apprehended," Elliptic says.