Why It Matters: Public and private security professionals investigating Dark Web marketplaces must remain ever vigilant as existing markets shut down and new markets emerge. The technologies and tactics used by Darknet marketplaces and Dark Web users evolve constantly to limit their exposure. Investigators need to be agile in their own methods and the technologies used to research Dark Web crimes.
Like most other forms of commerce, transactions for illegal goods such as drugs, weapons and illegal pornography have been shifting to the online space for a while now. Buying a new laptop online, for example, is a much different experience than buying drugs. It’s not as simple as accessing a website and clicking “order online.” Illegal goods are typically sold on the Deep and Dark Web through specific contacts or by accessing a Dark Web marketplace using a Tor browser. While Tor browsers do provide limited anonymity, Darknet marketplaces operators and users are at risk of being exposed by other Dark Web users, by law enforcement agencies that are actively targeting Darknet markets or even by themselves, through a careless mistake such as using a personal email address. The other difference between “regular e-commerce” sites and Darknet markets is their typically short life span. The Dark Web as a whole is in a state of constant flux.
Ultimately, Dark Web marketplaces are constantly moving targets and each time an incumbent market goes down, or a new market appears, the whole ecosystem must reorganize itself and legal authorities must be prepared for these shifts as they tackle the Sysiphisian task of combating the sale of illicit goods online. Law enforcement agencies have increasingly leveraged the innovative applications being developed in the private sector to augment their abilities and better address the problem.
Exit scams are perhaps the most common reason for a Dark Web marketplace shutdown. An exit scam occurs when an established business stops shipping orders while continuing to receive payment for new orders. On the Dark Web, when a marketplace or seller has achieved a solid reputation, it can take some time before it is recognized that orders are no longer being shipped. Customers do not realize that the orders are not being fulfilled until after the operator or seller has already made off with the money from unshipped orders.
Exit scams are tempting for illegal marketplaces. Given the constant risk of being shut down by authorities, operators perform exit scams to retain funds in escrow and avoid prosecution. Since cheated buyers are knowing participants in illegal activities, it is not a viable option for them to notify law enforcement. In part because they do not want to report their own complicity, but also because the buyer will most likely not know the identify or physical location of the scammer.
Law Enforcement Shutdowns
The seizure of Dark Web markets by law enforcement tends to be the more publicized scenario to hit mainstream media. These types of operations typically involve multiple agencies and extensive investigation to connect Darknet market transactions to real people. Surprisingly, some of the biggest Dark Web markets have been shut down for mundane reasons. Operators slip up at one point or another leaving traces of their real identity online in a way that can be connected back to the market.
Silk Road – The Silk Road marketplace shut down after Ross Ulbricht was arrested in 2014 as part of Operation Onymous. In 2011, Ulbricht posted a message on a Bitcoin-focused forum encouraging others to check out the recently launched online marketplace. An archived version of that post led an IRS investigator to the username “altoid.” Finally, another post from altoid included the email address “rossulbricht at gmail dot com.”
Alpha Bay – The Alpha Bay marketplace was shut down by law enforcement in conjunction with Operation Bayonet. AlphaBay was the largest darknet market totaling about 40,000 vendors and 200,000 customers and estimates suggest about ten times bigger than Silk Road. The founder of the site, Alexandre Cazes, was connected to the site and arrested by the authorities because the original welcome message on Alpha Bay in 2014 included Cazes personal email address. Notably, a 2008 post on an online tech forum authored by someone using the moniker Alpha02 also included the same email address, and the name Alexandre Cazes. Alpha02 was the moniker used by the AlphaBay administrator.
Hansa – When Alpha Bay was shuttered in July 2017, initially users flocked to alternative markets, and most notably the Hansa market. Unbeknownst to sellers and buyers, the Hansa market was under the control of law enforcement. As part of Operation Bayonet, authorities allowed thousands of illegal transactions and made a number of changes to the site to catch careless users.
Law enforcement agencies around the world are looking to curb illicit activity on the Dark Web, in particular related to drugs, weapons and illegal pornography. While seizures and arrests occur on a regular basis, Dark Web markets are a scourge that will not be cured. Through online investigative efforts and the concerted activities of different agencies, the problem can be addressed but it will not disappear. Investigators gain access to new technology and devise new methods to research their targets. At the same time, malicious actors on the Dark Web adapt and innovate new ways to thwart identification and prosecution.
It should come as no surprise that Dark Web marketplaces, which are regular resellers of hacked credentials and hacker attack methods, also fall victim to hackers. Sometimes, these are organized by competitors in order to increase their market share by doing away with other markets. Other times, hackers gain access to Dark Web market servers just to see if they can. Whether prompted by greed or curiosity, the outcome is the same. Generally, these types of attacks are ongoing and marketplace operators must remain vigilant to ensure their own safety, as well as that of their users.
Say Goodbye to Dream Market
Dream Market, the top known Dark Web marketplace at the time of writing, recently announced it was shutting down. According to Dream Market site admins, the site has been suffering for several weeks from DOS attacks, leaving it crippled and unable to maintain.
Dream Market announced it was shutting down operations on April 30, 2019 and transferring services to a new onion address under new management.
The announcement comes at an interesting time. On March 26, the DEA shared the most recent outcome of Operation SaboTor:
“As a result of Operation SaboTor, U.S. and international law enforcement agencies made 61 arrests and shut down 50 Darknet accounts used for illegal activity. Law enforcement executed 65 search warrants, seizing 299.5 kilograms of drugs, 51 firearms, and more than $7 million ($4.5 million in cryptocurrency, $2.48 million in cash, and $40,000 in gold). They also conducted 122 interviews. In addition, participating agencies engaged in public education efforts regarding the dangers of opioid abuse during the operation.”
This announcement from law enforcement, along with the activity on Dream Market, has prompted speculation that, like Hansa, the site has already been seized and is under the control of law enforcement agencies. Given the timing, this is a possibility but it is impossible to know without a direct statement. The other possibility being entertained is that, given the increase in DDoS attacks to Darknet markets, is that a competitor is targeting and hoping to take down the Dream Market, among others.
The drama surrounding Dream Market is ongoing and involves many uncertainties. Though Dream Market has been around for 6 years, Dark Web marketplaces are typically short-lived. When a Darknet market announces it is shutting down, or when one disappears suddenly, this leaves the entire Dark Web market ecosystem in flux. Buyers and sellers must shift their activities to new markets. Conversely, investigators must shift their focus as new Darknet markets appear or existing ones increase in popularity to accommodate the migration of users. This daunting and seemingly impossible task, curbing the sale of illicit goods online, will never be completed. As law enforcement tactics evolve, so do those of malicious actors on the Dark Web. The key to ramping up to have a real impact on the Dark Web market space is collaboration. Law enforcement, in an effort to keep up with innovations on the Dark Web, must work closely with private technology providers to boost their own technology and abilities. To combat this menace to community safety and health, we must all work together.
At Media Sonar, we ensure that our purpose, the pursuit of freedom, safety and security for all, is applied to all the technology we create. We are trusted by law enforcement and the private sector to produce applications that help investigate crime on the Dark Web.
Want to learn more about illicit activity on the Dark Web?
Download our white paper “Untangling The Web: Where To Get Started With Online Investigation” to learn how the Internet is used to create, as well as mitigate, public and private risk.