Darknet markets (DNMs) have been in mainstream news for at least a decade, starting with the now-defunct Silk Road and the arrest and seizure of assets of its founder, Ross Ulbricht. Since then, many more DNMs have come into existence, selling everything from drugs, access to compromised accounts and networks, malware and stolen data, to name a few.
Over the past four years, several high-profile law enforcement actions have taken down popular DNMs such as DarkMarket, Wall Street Market, Silk Road, Alphabay, and Hansa. This does not mean police are winning the war against cyber criminals – neither are your data or networks safer after a successful police operation.
Image: RDP connections for sale in a darknet market | CC by Threat Essentials
Researchers have discovered that when DNMs stop trading, there is an initial drop in dark net trading volume. After that, the overall trend is that trading simply moves to other DNMs, and trading volume resumes to previous levels within a month.
DNM vendors are proving to be highly resilient against law enforcement operations. Instead of relying on specific marketplaces to sell their goods, many vendors now establish an identity (or ‘brand’) independent of the darknet sites they trade on. A marketing tactic popular with vendors is to create their own Telegram channel, where they announce important trading information such as which forums and DNMs they are currently selling on.
Image: Darknet market selling RDP access, with live verification | CC by Threat Essentials
When the police seize a marketplace, or it is suddenly closed by its administrators, vendors use their Telegram or other dark web social media equivalents to promptly announce they have not been arrested, naming the other marketplaces where they continue to operate. To assure customers these announcements are authentic, vendors usually sign them with a cryptographic GPG key. The result is a migration of customers from the closed marketplace to another where the vendor is still trading.
Vendors also benefit from the functionality of dark web-focused search engines such as Recon. These collect data on vendors and marketplaces, including customer reviews and rankings, and list the sites where they do business, thereby enhancing vendor resilience against marketplace closures. Researchers have discovered that while individual markets may collapse in response to police operations, the coordinated migration of customers to coexisting markets “guarantees overall systemic resilience beyond the intrinsic fragility of individual markets. The migration is swift, efficient and common to all market closures”.
What we recommend
At Threat Essentials, we closely monitor illicit vendors as well as the marketplaces they trade in. We collect intelligence on the actors selling data that may adversely affect your business. Our unique portal allows you to see and be alerted, in a timely manner, to dark web interactions that may affect you.
To find out more about how Threat Essentials can support your cyber defences, get in touch with a Threat Essentials analyst at email@example.com