Why Darknet Markets PersistEase of Use and Few Alternatives Keep Bringing Users Back
Empire is the latest darknet market to "exit scam," meaning administrators ran away with users' cryptocurrency, leaving the market to fail.
See Also: Top 50 Security Threats
The fall of Empire raises a repeat question for denizens of darknet - aka dark web - markets: Why do they persist? (A darknet or dark web site refers to any .onion website that can only be reached by using the anonymizing Tor browser.)
"There are two main reasons here: the lack of alternatives and the ease of use of marketplaces," researchers at the Photon Research Team at digital risk protection firm Digital Shadows tell Information Security Media Group.
At least for English-speaking users, such considerations often appear to trump other options, which include encrypted messaging apps as well as forums devoted to cybercrime or hacking. And many users continue to rely on markets despite the threat of exit scams, getting scammed by sellers or getting identified and arrested by police.
Another option is Russian-language cybercrime forums, which continue to thrive, with many hosting high-value items. But researchers say that, even when armed with translation software, English speakers often have difficulty coping with Russian cybercrime argot. Many Russian speakers also refuse to do business with anyone from the West.
Another alternative is to use legitimate, encrypted messaging apps, such as Telegram, Discord, Jabber and Wickr.
But researchers say many criminals distrust tools not made by and for criminals. They also note that, unlike darknet markets, buyers and sellers using chat apps often seem to struggle to find one another before they must then attempt to make deals via chats, rather than easier-to-use e-commerce functionality.
English-Speaking Forums: 'Uninspiring'
"In many ways, English-speaking cybercriminals do not have much choice other than to use English-language dark web marketplaces," Digital Shadows says. "The English-language forum scene is unstable and uninspiring; platforms that have the potential to attract a large userbase of skilled threat actors often close before their time, as we saw recently with the closure of the cybercriminal forum Torum" in August.
Claiming to have more than 130,000 users, "Torum was an English-speaking underground forum that posed as a nonprofit cybersecurity website," says Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela, in a blog post.
"While both its members and users of other forums agreed Torum was a good place to discuss cybersecurity and learn hacking methods, the site was overwhelmed by newbies and scammers who damaged its reputation," she adds, pointing out that users often complained that it was too cluttered by "noob questions."
Kivilevich notes that, before Torum's administrator decided to call it quits, top topics on the site in July were:
- Hacking and cybersecurity;
- Databases - both for sale and for free;
- Accounts, remote access and payment card data for sale;
- Malware for sale.
While Torum is gone, the world's most popular English-speaking forum - RaidForums - remains. It claims to have 465,000 members, with 15,000 of them active each day, Kivilevich says.
"Many cybercriminal forums ban drug sales; often drug sales are a huge part of marketplaces' incomes."
But even long-running forums, such as RaidForums, "often lack appeal because they are considered to be full of inexperienced users - 'script kiddies' - or scammers," Digital Shadows says. "Another important point to note is that many cybercriminal forums ban drug sales; often drug sales are a huge part of marketplaces' incomes."
Many cybercrime markets resemble illicit versions of eBay or Amazon.
They offer a variety of features - high degrees of usability, clear design, the ease of listing goods and purchasing them, rating systems for vendors and escrow systems designed to prevent nonfulfillment - and are designed to be a one-stop shop for buyers and sellers.
Researchers tell ISMG that there are 10 particular attributes that make cybercrime markets so attractive:
- Escrow: Many markets provide automated escrow services - backed by dispute resolution - which provides greater security for both buyers and sellers.
- Visibility: Vendors know that they have a wide user base to which they can advertise their goods, increasing their chances of making a sale.
- E-commerce: "Listings can often be purchased with a few simple clicks," Digital Shadows says, and such listings appear the same for everyone, whereas on a forum, "buyers must engage in personal interactions with vendors" to make purchases.
- Looks: Markets resemble bona fide e-commerce sites, whereas forums rely on a "clunky thread-and-post model" that "is unappealing to many," Digital Shadows says.
- Payments: Unlike forums, which largely only facilitate bitcoin payments, many marketplaces offer the ability to pay via multiple cryptocurrencies and to do so automatically - for example, not having to manually move money from their bitcoin wallet to a seller's wallet.
- Reviews: Rating and reviewing vendors and their products provides some indication of a seller's credibility and gives some reassurance to buyers that they will not be scammed.
- Anonymity: "Anonymity seems higher on marketplaces when compared with forums, in which content is usually viewable by all members and valuable identifying details can be discerned by researchers and law enforcement agencies," Digital Shadows says. And unlike messaging apps, markets are not tied to a user's smartphone.
- Secrecy: Some markets offer PGP-encrypted messages.
- Restrictions: "Forums often have strict rules and regulations governing how their members should act on the site; marketplaces have none of this and provide an impersonal platform on which buyers can be business-like and simply conduct transactions," Digital Shadows says. "Marketplace members do not have to live in fear of offending another forum member and being banned for one of their posts."
- Financial gain: For administrators, running a darknet market offers high potential earnings, because they take a percentage cut of every sale. "Even if they become a target, they can evade being caught while earning much more money because of all the features that attract users," according to Kela. "And for some of them, it's a perfect opportunity to get rich in one day - like the recent Empire scam."
The Rise of 'Automarkets'
Kivilevich and Raveed Laeb, Kela's product manager, tell ISMG that it's important to distinguish between the two types of darknet markets: drug marketplaces and cyber-focused marketplaces selling such things as malware, stolen databases and login credentials. "We also see sales of illicit and counterfeit goods - money, watches and stuff like that - but most of the time, that's not the actual focus," they say.
"In the eyes of the 'darknet' community, autoshops and markets are inherently different."
—Kela's Raveed Laeb and Victoria Kivilevich
More recently, the sale of cyber goods has been migrating to what the darknet community calls "autoshops," meaning they sell goods and services in a highly automated manner. Kela refers to this as the "servitization" - meaning selling not just goods but also services and outcomes - of the underground ecosystem.
"In the eyes of the 'darknet' community, autoshops and markets are inherently different," the Kela researchers say.
This autoshop model doesn't suit drugs, which need to be physically manufactured and shipped. "They're also different by way of 99.9% of countries fully agreeing drugs are illegal to make, ship or sell - unlike cyber-related stuff, which may be in gray areas sometimes and really depend on local laws," they say.
Another drive for this shift is that many believe that "darknet markets are mostly targeted [by police] for their drug trade - not for selling illicit goods or fraud tutorials," Laeb and Kivilevich add.
The Hansa Maneuver
Using a darknet market carries risks because of increasing attention from law enforcement agencies.
For example, Europol - the EU's law enforcement intelligence agency - now has a dedicated "dark web team" devoted to eradicating darknet marketplaces. Success stories include an operation codenamed "Bayonet" - in collaboration with the FBI and U.S. Drug Enforcement Agency - that in 2017 took down AlphaBay.
As often happens, users quickly moved to other sites, including AlphaBay's chief rival, Hansa. But in a masterful policing move, Dutch cops had already infiltrated Hansa, and for a time, they spied on buyers and sellers, including the fresh influx. The police then shared this intelligence with international law enforcement officials to help them identify and arrest suspects.
Better Luck Next Time?
Demand for new English-language cybercrime markets continues to be high because so many existing markets get disrupted by law enforcement agencies or have administrators who run an exit scam.
In recent days, the Icarus market - one of the top remaining alternatives to Empire - has gone offline, with an admin claiming the site was hacked by a former admin - although many darknet market watchers suspect it's yet another exit scam. No doubt ex-Icarus users will now begin discussing where to go next.
"Many English-speaking cybercriminals see little choice other than to register on whichever new marketplace pops up to take the place of a recently closed one and hope that history does not repeat itself," the Digital Shadows researchers say. "New marketplaces also play on this - when they advertise themselves, they reference exit scams and law enforcement takedowns that have occurred in the past and promote features or make promises to ensure that such problems will not occur again."