The Blog
Sweet Dream(s)

Sweet Dream(s)

BlueLiv

Sweet Dream(s): An examination of instability in the darknet markets

  • These past few weeks in cyber underground news have seen the surprising hat trick of the passage of the self-imposed deadline for the closure of the notorious Dream Market, the law enforcement seizure of Valhalla Market, and the law enforcement takedown and arrests of admins associated with the Wall Street Market. 

  • Many of the trends observed following the 2017 law enforcement takedowns of the AlphaBay and Hansa marketplaces – such as the pursual of alternative methods of conducting illicit business that are not tied to any darknet markets whatsoever – are likely to return or accelerate following the recent developments.  

  • Despite years of volatility, darknet marketplaces continue to be created and gain popularity. This is likely a result of the prevalence of the darknet drug trade, which is best served by these market-style platforms. As long as these marketplaces continue to pop up to facilitate an illicit drug trade, cybercriminal vendors and buyers will undoubtedly piggyback off the infrastructure and built-in client base that comes with that. 

  • It’s too soon to say what the next big marketplace may be, nor what is happening with Dream, but one thing is for sure: these current developments do not yet spell the end for darknet markets. Not in your wildest Dreams. 

 

Darknet Market Seizures & Looming Closure

Just when the English-language marketplaces seemed to have returned to a level of normalcy and stability, cybercriminals around the world have once again had their dreams dashed.  

 

These past few weeks in cyber underground news have seen the surprising hat trick of the passage of the unsatisfyingly-explained deadline for the threatened-though-has-yet-to-materialize closure of the notorious Dream Market, the law enforcement seizure of the Valhalla Market (also known as Silkkitie), and the law enforcement takedown and arrests of admins associated with the Wall Street Market. 

Figure 1: A banner displayed at the Tor address of the Wall Street Market declares that the site has been seized by German law enforcement.  

 

A month ago, Dream Market was considered by many to be the largest darknet market, with the Wall Street Market clocking in as the second largest. Both these marketplaces, though Dream in particular, were the heirs to the throne vacated by the AlphaBay and Hansa marketplaces following the law enforcement takedowns of those sites in summer 2017. Dream and Wall Street alike offered a tremendous array of illicit goods, ranging from compromised databases, to drugs of all stripes, to counterfeit luxury items and so much more.  

 

While the seizures of the Wall Street and Valhalla markets were announced on May 3rd by Europol – in conjunction with several government agencies from around the world – Dream’s situation remains quite curious and is not well understood. At the end of March, the marketplace had announced a self-imposed closure with the following statement published on the site:  

 

Despite the passage of the April 30th deadline, Dream Market is still online as of May 9, 2019.  

Figure 2: The Dream Market homepage includes an announcement about the future of the marketplace. This announcement has remained up even after April 30th.  

 

Dream & Wall Street Rise from AlphaBay & Hansa’s Ashes 

English-language marketplaces have served as one of cybercrime’s most consistent watering holes for years, attracting criminals, drug dealers, crackers, and other assorted miscreants from around the world. English has proven to be one of the most popular languages for conducting business on the darknet, no doubt fueled by the large numbers of both native and second-language speakers. Additionally, the age and size of the English-language underground has contributed towards making many of its forums and markets the go-to stops for cybercriminals. 

 

The English-language darknet community is also the only darknet linguistic community with a demonstrated ability to both create and sustain darknet markets. While various other linguistic communities have spun up short-lived marketplaces – such as the Brazilian Portuguese community’s Mercado Negro – these projects are typically plagued with low participation rates, prolonged and unexplained periods of downtime, and unscrupulous admins. As a result, many who wish to conduct their illicit dealings in a non-English language typically do so on cybercriminal forums; others still turn to even-less-structured chat platforms such as Telegram and Discord. These alternatives, however, have their disadvantages, and the difference between a darknet market and a forum for the purpose of sales is similar to the gulf between Amazon and Craigslist. 

 

Underlying the appeal of English-language markets to cybercriminals is the reality that the past few years have been an incredibly volatile time for darknet marketplaces. The law enforcement takedowns of the AlphaBay and Hansa marketplaces in 2017 seriously shook up the English-language underground.  

Figure 3: A notice posted on the Hansa market, announcing that the market had been seized and controlled by the Dutch National Police for nearly a month prior to its takedown.

 

In the wake of the 2017 takedowns, various marketplaces rose to and fell from prominence: TradeRoute, Olympus, Libertas, and so many others that burned brightly before inevitably failing or exit scamming. Through this all, Dream and Wall Street weathered the storm (with several noteworthy hiccups); this stability contributed to cementing these markets’ positions as the largest darknet markets available at the time.  

 

Stability for the Darknet Markets?  

The purpose of this blog is not to speculate on the current situation unfolding with Dream Market – which, as noted in the announcement, is supposedly being taken over by another “company” – nor the details of the Wall Street and Valhalla takedowns, but rather to focus on how these developments fit into the larger picture of darknet markets and how cybercriminals are likely to react in the weeks and months ahead.  

 

The announcement of Dream’s migration had the immediate effect of torpedoing cybercriminal trust in the market. Darknet vendors and buyers alike are weary of such strange activity as a result of the lessons learned from AlphaBay and Hansa. During Operation Bayonet – the law enforcement effort behind the AlphaBay and Hansa takedowns – law enforcement seized control of the Hansa marketplace and converted it into a gigantic honeypot, scooping up information on the thousands of darknet users migrating from the at-the-time-unexplainably-shuttered AlphaBay. The sense of anxiety imbued in cybercriminals as a result of these actions has somewhat abated but is far from disappeared.  

 

Darknet merchants and customers are likely further spooked by the fact that Dream’s closure announcement came on the heels of a March 26, 2019 Europol announcement that 61 darknet vendors had been arrested. Trust in darknet markets further declined in late April when it was revealed that the team behind Wall Street Market appeared to be exit scamming, making off with all the money left in the market’s escrow. And of course, it’s now known that Wall Street and Valhalla have both been seized by law enforcement. The current darknet market landscape – from the perspective of a cybercriminal – is confusing and bleak.  

 

Immediate Consequences of Recent Developments on the Darknet Markets

Many of the trends observed immediately following the AlphaBay and Hansa takedowns are likely to return or accelerate following the closures of Wall Street, Valhalla, and (presumably) Dream.  

 

Cybercriminals are likely to once again pursue alternative methods of conducting business that are not tied to darknet marketplaces whatsoever. Late 2017 and early 2018 saw a swell of cybercriminals turning to legitimate e-commerce platforms – particularly those that allowed payments in cryptocurrencies and facilitated the auto-dispensal of digital goods – as a means for selling their malicious products. Other cybercriminals with more established reputations elected to create their very own websites where they marketed solely their own products. While these trends have continued into 2019, they had lost a lot of steam as the marketplaces appeared to stabilize; it is likely that the recent instability will accelerate them once again.  

 

The closure of AlphaBay and Hansa also meant the eradication of some of the most popular English-language cybercriminal forums, particularly the Alphabay Market Forums. English-speaking cybercriminals have since floundered for a place to call home. Following the takedowns, many resettled to various fraud-themed subreddits to regroup and resume business as usual before being expunged from Reddit in March 2018. While this purge inspired the birth of the crime-centric bizarro Reddit called Dread, no platform, including Dread, has come close to replicating the volume and caliber of English-language crime conversation regularly seen on the AlphaBay Market Forums.  The English-language cybercriminal community will continue to grapple with this reality and its implications for organized cybercriminal efforts. 

 

The Future of Darknet Markets

Even with all the instability and the subpar cybercriminal conversation, English-language marketplaces continue to proliferate. This is despite the fact that many of the cybercriminal offerings of English-language marketplaces could fit into other linguistic cybercriminal ecosystems with relative ease. The Russian-language cybercriminal community, for instance, is home to the most notorious accounts shops (for stolen credentials) and card shops (for compromised payment cards), with many of the card shops also boasting sections dedicated to the sale of personally identifiable information (PII); furthermore, all of the most prominent card and account shops are available in English, sometimes by default. 

Figure 4: The homepage of the top-tier cybercriminal card shop Joker’s Stash is available in English. The shop is strongly believed to be controlled by Russian-speaking cybercriminals.  

 

Yet a move to other cybercriminal spaces – Russian-language or otherwise – has not occurred, and English-language darknet markets keep coming up nearly as fast as they go down. The key to this puzzle likely lies in the online drug trade. No other darkweb linguistic community is host to such a strong drug culture as that found in the English-language community. Darknet marketplaces are above all else the home to drugs of absolutely all types – strains of marijuana with fantastical names, homemade lean, ecstasy pills shaped like Donald Trump… anything goes. The language of the online drug trade is solidly English, and the online drug trade is best served by this market-style approach. This is evidenced by the number of drug listings on any of the darknet marketplaces: on Dream Market, for instance, slightly over half of all listings are for drugs and drug paraphernalia; on rival Empire Market, nearly 19,000 of the market’s 30,000 listings are for “Drugs & Chemicals.” As long as marketplaces continue to pop up to facilitate an online illicit drug trade, cybercriminal vendors and buyers will undoubtedly piggyback off the infrastructure and built-in client base that comes with that. 

 

A fractured cybercriminal community – as the English-language darknet community once again finds itself – requires careful monitoring by threat intelligence analysts. Threat actors are going to scatter across forums and marketplaces, while others will take this opportunity to quit while they believe they’re still ahead. It’s too soon to say what the next big marketplace may be – or if Dream will stick around to retain that title and regain lost trust – but one thing is for sure: these current developments do not yet spell the end for darknet markets. Not in your wildest Dreams. 

Share this:
Is Your Organization Ready... CISO 18
Jun
Is Your Organization Ready...

by Brian Tuemmler, Information Governance Program Architect - Nuix

ObserveIT Blog CISO 19
Jun
ObserveIT Blog

New Ponemon Institute Study: Insider Threats Lead to Big Losses and Significant Costs

New Release: Agari Email Trust Platform CISO 21
Jun
New Release: Agari Email Trust Platform

New Agari Release Amplifies Protection Against Rise in Advanced Identity Deception Attacks

Request more information

You have missed out some details, please try again.

Your Name:
Job Title:
Company Name:
Email:
Phone:
Please answer the above question to prove that you are human.

©2019 Global Business Intelligence | All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies. You can find out how we use cookies here.