Anyone accustomed to using the internet to make illegal purchases of illicit goods – including malicious code – is probably feeling anxious today. Why? Because a combined law enforcement effort has taken down two of the largest “dark markets,” namely AlphaBay and Hansa. Furthermore, the clever way in which the authorities carried out this international police operation means that a lot of customers of these “secret” markets may now be identifiable.
In this article we look at what dark markets are, what specific actions authorities have recently taken against them, and what effect these may have.
Dark words
Basically, a dark market is a place to buy and sell goods online that is not readily accessible to the public. The FBI uses the following terms to describe this phenomenon. First, there is the Clear Web, the one we’re most familiar with, searchable through Google and Bing, comprising everything from news sites to social media, streaming media, and traditional e-commerce businesses like online banks and stores such as Amazon.
In addition to the Clear Web, there is a whole bunch of Internet-enabled activity that is not readily searchable and cannot be reached without special software or appropriate credentials. This is the Deep Web, and it includes member-only sites and forums used to discuss and transact illegal activity. Markets in the Deep Web are referred to as dark markets.
A subset of the Deep Web can only be accessed with special networking software (for example, the Tor Browser). This part of the Deep Web is known as the Darknet.
The Darknet is where the AlphaBay and Hansa dark markets were located. Despite the FBI’s efforts to stick to this terminology, it is quite common for people to refer generically to any illicit Internet activity as Dark Web activity (and let’s face it, these are all terms that are evolving over time, without “official” definitions).
Dark deeds
So what were the AlphaBay and Hansa markets doing that bothered law enforcement? They were enabling people to buy and sell goods and services that are illegal to buy or sell or own. For example, in many countries and U.S. states it is illegal for citizens to own completely automatic firearms with large-capacity magazines, but you can buy them in dark markets (as seen pictured below). The sale and purchase of malicious code such as ransomware is also illegal in many jurisdictions, but dark markets make it possible (see in the image below).
Clearly, dark markets that traffic in these items, and others like child pornography, banned substances, and hacking services, are crime-enabling institutions. The crime enablement aspect of dark markets is enhanced by the fact that the transactions use crypto-currencies like Bitcoin, and so parties to the buying and selling activity are hard to trace. So it is not surprising that law enforcement agencies in many countries are keen to take down dark markets and punish their operators.
Dark times for Darknet?
You may recall the 2013 takedown of Silk Road, a Darknet predecessor to AlphaBay and Hansa, and the life sentence handed down to its creator-operator Ross Ulbricht (that sentence was recently upheld by the U.S. Court of Appeals for the Second Circuit).
You may also know that new iterations of Silk Road appeared despite law enforcement efforts. This is due in part to the fact that a dark market typically hosts a collection of sellers, more of a dark bazaar than a dark department store. If they lose their stall in one market, sellers quickly migrate to a different market.
So it is unlikely that this latest development in the global effort to reduce cybercrime, the takedown of AlphaBay and Hansa, will end the practice of selling illegal goods on the Internet. However, it might well deter some aspiring criminals, particularly if the persons responsible for AlphaBay and Hansa meet the same fate at the hands of the criminal justice system as Ross Ulbricht. (In a tragic twist, the alleged creator of AlphaBay, a Canadian citizen living in Thailand, appears to have committed suicide in prison not long after his arrest.)
The AlphaBay/Hansa takedown is also likely to discourage some dark market sellers, given the way it was carried out: the one-two punch. By studying past takedowns it was clear that customers quickly migrated from the closed market to the next best market (as in, “If I can’t get it at Amazon.com, I’ll try Walmart.com.”).
So here’s what happened: the Dutch police took full control of Hansa on June 20. However, they didn’t close it right away. They waited until AlphaBay was closed. According to CNET, when AlphaBay closed, the police saw traffic heading to Hansa spike eight-fold. Rob Wainwright, the Europol director, said, "We could identify and disrupt the regular criminal activity that was happening on the Hansa market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading platform for their criminal activities.”
In announcing the AlphaBay takedown, U.S. authorities left no doubt as to how serious they are about prosecuting this type of criminal activity: “The seizure and shutdown of the AlphaBay criminal marketplace and the indictment and arrest of its founder should send a clear message. If you choose to become involved in administering a site like AlphaBay on the dark web, or decide to use it to engage in criminal transactions, you will have federal law enforcement and United States attorney offices from every district and state across the nation pursuing you.”
Dark aftermath?
If you read what people familiar with dark markets are saying online, then it seems that this one-two blow has really shaken what you might call “dark market confidence.” When people talk about taking an extended break from purchasing, you know there is an abundance of fear and suspicion, which was clearly one of the goals of the police action (pictured in image below).
It will be interesting to see what effect, if any, the takedowns have on malware campaigns. We know that dark markets have enabled crimeware-as-a-service operations, notably ransomware-as-a-service. Will there be a temporary reprieve? Will a significant percentage of would-be criminals decide to do something more legitimate with their time and resources? Will the more committed criminals simply move their operations to other parts of the Deep Web?
I tend to think some folks will continue to try their hand in dark markets. A hallmark of predatory criminals is the belief that they will never be caught, and sadly only a small percentage of cybercriminals are caught. If you look at how much dark markets have evolved, offering “fast, client-facing support” as well as escrow services and multilingual help (below image), you get the impression they are backed by some fairly determined people.