skip to top

Dark Web Markets: Are They Still a Corporate Security Threat?

Over half of Dark Web markets now contain higher concentrations of digital attack tools, identities, accounts, and information for sale rather than drugs and chemicals. Investigating the Dark Web is more crucial than ever before for organizations.

In August 2020, having led an international raid arresting over 172 Dark Web vendors, Interpol proclaimed “The Underground Golden Age Is Over”. You have heard the expression, “You can kill a man, but you can’t kill an idea.” Dark Web markets follow suit – you can shut them down but the idea remains.

Looking at evidence across the Dark Web, markets are still growing in number, adapting to conditions, and are getting stronger. Even more alarming is a higher focus on the sale of digital goods, such as corporate information and identities.

In this article, we will dive into different Dark Web markets, exit scams and raids, and the changing processes and technologies used to combat them.

Not all Dark Web Markets are Created Equal

The list of markets changes all the time and different markets tend to cater to specific needs and niches. As an example, Berlusconi, a once leading but now defunct market, focused on pharmaceuticals and chemicals. Alternatively, AlphaBay, seized in 2017, focused on credit card information. Lastly, Tochka, active as of September 2020, is heavily concentrated with leaked accounts and data breach information. 

Across many of the different networks, you can find different concentrations of information. Using the Media Sonar platform and keyword group systems, we looked at a relative breakdown of content across these different markets.

Some examples of content available on these networks are posts and ads with titles like:

  • “Botnet for rent”
  • “Best Hacking Mega Pack (Rates, keyloggers, Cracks)”
  •  “FULLZ Credit Cards”
  • “How to sell trade secrets, willing to share profit”
  • “Bugcrowds’ Netflix Account Compromise”
  • “Clearview AI Client List”
  • “Amazon Phishing pages with full info grabber (login, password, personal details, billing details, reset email)”
  • “Selling ATT Verizon Employee Data”

Dark Web Security Threats Are Shifting

While drugs and chemicals make up a large portion of many Dark Web markets, over half of most marketplaces now contain higher concentrations of digital attack methods and tools, identities, accounts, and information for sale.

The Avaris market (to the right) received over 9,600 new ads spanning between September 2019-2020. While drugs and chemicals still hold the biggest slice, compromised accounts provide a majority of content.

investigating the dark web

Compromised Accounts, Phishing & Doxxing on the Rise

Piazza, another lesser-known Dark Web market contains an alarming amount of breach data sold – almost 100 new ads per month.

In addition, they are selling over 400 different tools, guides, and techniques for phishing, malware, ransomware, and other digital attack vectors.

investigating the dark web

Counterfeit Identities on Dark Web Markets

Marketplaces like Hydra, which touts itself as the “Biggest Russian Market”, are home to high concentrations of counterfeit identities, including paystubs, employee badges, credit cards, licences, passports and more. 

Dark Web markets are showing an increase in corporate security threats. Selling business information and identities has proven to be less risky than selling and manufacturing physical products, such as drugs. It also has proven to be more profitable as the information can be sold an unlimited amount of times for different uses.

investigating the dark web

Get free access to Impact of Dark Web Markets on Corporate Security & Public Safety to understand the risks that these types of marketplaces can have on your organization and why security teams should put investigating the Dark Web at the top of their priorities.

How Technology Grows on the Dark Web

As with any piece of technology, Dark Web markets are constantly trying to build a more secure, efficient, and intelligent experience. New markets have taken on many changes, including the integration of more anonymous currencies, bot detection, and even AI solutions.

Moving to More Anonymous Currencies:

Bitcoin, previously the standard of Dark Web markets has been dropping out of favor and being replaced by Moneris, a more secure currency. Bitcoin still retains value in many of the other markets, but some markets are now requiring Moneris as the only accepted currency.

Integrating Machine Learning:

In Dark Web marketplaces, where transactions are always suspect and exit scams are common, along comes IronRat – an AI software for automated dispute resolution. IronRat makes sites more user-friendly and removes the chance of information being exposed or leaked that could lead to a compromise. 

A much-hyped Dark Web market due to launch in September 2020 called Eternos, will be the first to use IronRat.

Better at Stopping Bots:

Dark Web markets have always been plagued with poor uptime, often only being available for 70-80% of the day. Reasons due to DDOS attacks, hacking, and the instabilities involved in hosting on the TOR network. However, new internally-developed technologies have arisen that act as a bot-detection system prior to login pages so that markets are now available 95-100% of the time each day. Ten of the largest markets are already using these systems.

V3 Onion Protocol

Notice the difference between http://grams7enqfy4nieo.onion/ (V2) and something like dfknuasdsainxkasnxakjnxkkscnksaakxasmoxa.onion (V3). The V3 onion protocol is offering key advantages to the network service.

  • Better encryption
  • Less information passed to directory services
  • Smaller surface areas for attacks and DDOS
  • Better domain security against impersonation

While the new domains are more secure, many admins bemoan the difficulty in making the new domains easy to remember, with one Reddit user saying, “the problem is that you need to constantly invest in marketing for your onion to be found by users”.

How to Take Down a Dark Web market

3 Stages of Dark Web Exit Scams

Dark Web markets are notably fickle and many are exit-scammed. An exit scam, in essence, is when owners of the market “take the money and run.”

  1. First, the ability for vendors to withdraw funds becomes unavailable while the ability for buyers to deposit funds is unaffected. Sometimes this is blamed on technical issues. This increases the amount of money held by the market in escrow or vendors’ accounts.
  2. The word begins to spread on forums and messaging boards. Small search engines begin to delist the site, warnings spread across sources like Dread, active disinformation campaigns begin, buying more time for the market value to rise.
  3. Lastly, support and administrators seem to disappear. The market is either left stalled, taken over by new owners, or shut down completely. 

This is quite a profitable venture with most exit scams generating millions of dollars for the owners. When Nucleus, a small market, by comparison, ceased operations in 2016 – over 5000 bitcoin (~$55 million USD) disappeared.

Occasionally international task forces are able to perform sweeping busts of markets, however, the size and technological advances of Dark Web markets are able to move forward. With over 25,000 different vendors, the September 2020 bust of 179 vendors impacted less than 1% of Dark Web markets overall.

Vendors and suppliers on the Dark Web have learned their lessons and are now existing on dozens of markets at a time to diversify. According to one Dread user, a Dark Web version of Reddit on the TOR network, “No ones scared off… We just move on.” It is just the cost of doing business.

With vendors diversifying across many networks, an increasing concentration of critical corporate information, and security advancements among Dark Web markets, you need a solution that allows you to monitor your exposure to the Dark Web. This type of visibility will keep you alerted to new threats such as leaks of insider information, compromised accounts, and new cyber attack vectors. With Media Sonar, that takes 30 seconds.