Bye-Bye Bitcoins: Empire Darknet Market 'Exit Scams'Darknet Market Is the Latest to See Administrators Steal Users' Cryptocurrency
Message to anyone who placed or fulfilled an order via the world's largest darknet market, Empire, in recent weeks: Say bye-bye to your cryptocurrency.
See Also: 인공 지능과 머신 러닝으로 구현하는 새로운 자금 세탁 방지 체계
Security researchers say it's becoming increasingly clear that Empire, which launched in 2017, has recently "exit scammed," meaning one or more administrators closed up shop, exiting with a horde of bitcoins and other digital currencies they were holding in escrow.
"We are the #1 market and it is your trust that has allowed us to get here."
A darknet - or dark web - site refers to any Onion website that can only be reached by using the anonymizing Tor browser.
Like many other darknet-based markets, Empire could act as an escrow service between buyers and sellers, meaning that it held cryptocurrency that buyers used to pay for goods or services, then remitted that cryptocurrency - after taking a prearranged cut - to vendors after buyers received their goods.
Common listings on Empire marketplace, according to researchers at digital risk protection firm Digital Shadows, included drugs, malware, databases obtained via data breaches, fake passports and drivers' licenses, items for committing fraud - such as "bank accounts and dumps" - as well as carded items, meaning "goods purchased using stolen credit card details. The site also sold other types of software and software license keys as well as "security and hosting services," such as subscriptions for VPN services and bulletproof hosting, they say.
Targeted by DDoS Attacks
Beginning around Aug. 19, Empire appeared to be getting targeted by distributed-denial-of-service attacks. But whether that was true, or a smokescreen used by administrators to hide their exit scam, remains unclear.
On Aug. 20, one of Empire's moderators posted to Dread - a darknet version of Reddit - a message stating that attempts to battle the DDoS attack were continuing, according to screenshots published by Digital Shadows. "We are the #1 market and it is your trust that has allowed us to get here," reads a post to a dedicated subdread - a dedicated space on Dread - for Empire. "Trust is earned over time. When dozens of admins were scamming in 2018 and 2019, we were the only market to stay loyal to you. This is who we are. Our character has not changed. Many want to see us fall but we are not going anywhere."
But on Aug. 23, bitcoins being held in escrow reportedly started to get moved to offline wallets. Since then, many users have been looking for their goods.
"Will I still get my order, I ordered an ounce of shrooms, 7 grams were delivered so I was waiting for the rest and then the site went down, anyone have any ideas?" one user posted to dark web news site DarknetStats. Another commented: "$13k lost but no worries. Its part of the game. tho i wasn't expecting this tbh."
Empire appears to have been the focus of regular DDoS attempts since 2019, many of them ascribed to rival market operators, according to DarknetStats. While Empire announced that it had a mirror system in place, and used an anti-DDoS offering called Endgame to moderate the DDoS attacks, it's not clear if that was true, or if that strategy was effective.
In an Aug. 27 post to Dread, Empire's lead moderator, "Se7en," said that Empire had never worked as intended, and that Empire had been paying an extortionist known as Stackz420, aka Gustav, $10,000 to $15,000 per week to not DDoS the market, according to DarknetStats. Se7en also noted that the market's admins were no longer reachable via their Jabber accounts, which further suggests that they fled with Empire's funds.
"In this tumultuous environment, with English-language marketplaces disappearing left, right, and center, Empire had become a bastion of steadfastness - a beacon of credibility to which all other dark web marketplaces were compared," Digital Shadows says.
But in the end, the administrators appear to have decided to con their users.
Multiple Cryptocurrencies Accepted
Like other darknet markets, Empire users could pay with a variety of cryptocurrencies and buy a variety of goods and services, many of them illegal.
DarknetStats describes Empire market as being "an AlphaBay-style market with BTC, LTC, XMR, MultiSig, and PGP 2FA features," and which "is currently ranked as the biggest darknet market."
Unpacking what that means:
- AlphaBay: This was the world's largest darknet market until July 2017, when a joint law enforcement investigation - involving the United States, Canada and Thailand - arrested the site's administrator, Canadian citizen Alexandre Cazes. Authorities said Cazes had amassed about $23 million from AlphaBay, thanks to the site charging a commission of 2% to 4% on every transaction. He was later found dead in a Bangkok jail cell (see: One Simple Error Led to AlphaBay Admin's Downfall).
- BTC, LTC, XMR: These are shorthand for the cryptocurrencies bitcoin, litecoin and monero.
- Multisig: This refers to an escrow system that can involve up to three keys for the buyer, seller and arbitrator. Typically, the buyer and seller will each validate that they have respectively shipped and received an order, and if either reports problems, the arbitrator can step in and make the final call. Darknet market watchers say that a properly configured three-key multisig can also cut market operators out of the escrow equation, minimizing the risk potentially posed by exit scams. But it's not clear how many darknet market users opt to use a three-key system.
- PGP 2FA: This refers to Empire's two-factor authentication system, which required a user to generate a PGP key. "Once 2FA is set, you'll need to use your personal PGP key to decrypt a message every time you try to login to Empire Market, which acts as an additional firewall along with your password, hence securing your accounts further," according to a guide published by Empire.
Shift to Distributed Markets
Whenever one market closes, buyers and sellers typically flock to another one. Indeed, Empire was launched in response to the closure of AlphaBay, according to DarknetStats, which notes that the administrators used Reddit to solicit input from users and charted their progress, stating that their goal was to design a fresh market with the same look and feel.
Now, chatter on cybercrime forums by users of Empire suggests they'll move to rival markets such as Icarus - now the world's largest darknet market - or White House Market or Versus; or they'll use encrypted messaging app Wickr, Victoria Kivilevich, a threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela, tells Bleeping Computer.
Encrypted Chat Apps
Stung by the takedowns of AlphaBay, Hansa and other darknet marketplaces, many users of darknet markets - buyers and sellers alike - have been innovating, moving away from centralized, Tor-based marketplaces that appear all too easy for law enforcement to infiltrate.
"They're distributing themselves, so they're moving more to encrypted, distributed marketplaces, like you'd see in Telegram or WhatsApp," computer security expert Alan Woodward, a visiting professor at England's University of Surrey, told me last year (see: Stung by Takedowns, Criminals Tap Distributed Dark Markets).
"This is all really a considerable concern," added Woodward, who contributed to Europol's IOCTA report.
But messaging platforms are not universally adored. "There are widespread fears about the security of these platforms: By trusting a legitimate third-party application's encryption and anonymity policies, threat actors are placing their trust in non-criminals," researchers at Digital Shadows tell me. In other words, many prefer services run by criminals, for criminals, because they feel it better protects their interests.
Exit Scams: Repeat Move
Obviously, not all darknet market users have shifted to tough-to-trace alternatives based on Telegram, WhatsApp, Jabber, Wickr or Discord. Based on chatter about Empire, it appears that the markets still provide a one-stop shop for procuring illicit goods, backed by escrow systems that help prevent buyers and sellers from being scammed. How else can you explain why users continue to flock to these services, rather than adopting safer alternatives?
Digital Shadows says English-speaking darknet marketplaces continue to attract new users because there's a paucity of alternatives: while numerous cybercrime forums exist and would seem to be an alternative way to market goods, many of those forums are unstable or have reputations for being script kiddie hangouts. "Another important point to note is that many cybercriminal forums ban drug sales; often drug sales are a huge part of marketplaces' incomes," the firm's researchers tell me.
Aside from darknet markets and their users getting targeted by law enforcement, another repeat challenge for users, as demonstrated by numerous administrators that have run away with in-escrow cryptocurrency, is that the temptation to run an exit scam appears to remain high.
In April 2019, for example, the alleged administrators of Wall Street Market, then the world's second largest darknet market - with 5,400 registered sellers and 1.15 million customers - said their site was in maintenance mode, claiming they were having trouble with their bitcoin servers. But police said they were running an exit scam, "transferring the customer's funds deposited in the marketplace to themselves," ultimately running away with an estimated $13 million in bitcoins (see: Darknet Disruption: 'Wall Street Market' Closed for Business).
One or more of the administrators - it's not clear if they were connected to the exit scam - also began attempting to extort users of the marketplace. Unless they received a payoff, they were threatening to leak the email address of anyone who had ever logged a trouble ticket with the market and had used their email address in the clear.
For buyers or sellers of illicit goods, exit scams are part of a long list of risks - including extortion and arrest - facing users of darknet markets. And yet people continue to use them.