Euro Security Watch with Mathew J. Schwartz

Cybercrime , Fraud Management & Cybercrime

Darknet Markets Using Custom Android Apps for Fulfillment

M-Club Used by at Least 7 Drug-Focused Russian-Language Markets, Researchers Report
Darknet Markets Using Custom Android Apps for Fulfillment
Mega Darknet Market's homepage (Image: Resecurity)

E-commerce markets offering illicit substances, digital contraband, fraudster tools and other criminal wares continue to thrive.

See Also: Live Webinar | Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways

Many buyers and sellers of such goods and services rely on darknet markets. But no market lives forever, and whenever a major player gets disrupted, users scatter. Some flock to rival services, others start up new options, and underground chatter intensifies over how to better camouflage activities using encrypted chat apps or services (see: Why Darknet Markets Persist).

To better safeguard administrators and users from law enforcement, multiple drug-focused darknet markets last year began testing new strategies: only displaying items for sale to pre-vetted members and providing them with Android apps built using the M-Club engine. So far it's counted seven drug shops using that engine; they may all be working with the same developer.

Over the past year, cybersecurity firm Resecurity reports it has seen multiple "underground drug shops" pursue these strategies.

M-Club was developed "specifically for drug traffickers and is currently marketed on major underground communities," Resecurity reports. "Some of these mobile apps have been recently observed by our experts on seized mobile devices by law enforcement - they belong to several suspects involved in drug trafficking and other illegal operations."

Discussion of M-Club started to appear in cybercrime forum chats by last April, according to underground chatter tracked by threat intelligence firm Kela. As of last week, an advertisement was running on Russian-language forum Legalize, devoted to so-called research chemicals, aka RC. It touts the M-Club's "24/7 user support" and ability to calculate salaries for couriers - aka drug mules - as well as its "multifunctional Telegram bot" designed to improve the customer experience.

Image: Advertisement for M-Club on Russian-language Legalize RC Forum - via Google Translate

The apps are built to support the Russian-language market. "The mobile apps provide the ability to transfer details about successful drug orders, and they can also send geographical coordinates of the 'package' left by the courier for further pick-up," which often gets sent not as text but rather an image, together with any pertinent notes, such as how far below ground the package might be buried, Resecurity reports.

Unlike Western counterparts, Russia-language darknet markets often fulfill orders not by using international or domestic postal or courier services, but instead leaving the goods in a predetermined dead drop location, reports blockchain intelligence firm TRM Labs.

Unlike many Western offerings, many Russian-language darknet markets only accept bitcoin and rarely monero. They also don't shy away from striving toward local domination, which Western darknet market operators avoid "due to the resulting pressure, attention and risk of law enforcement action that such dominance could bring," TRM Labs says.

Russian Scene Remains Fragmented

Use of the Android apps comes at a time when the wider Russian-language darknet market scene remains fragmented. The dominant player was formerly Hydra market, founded in 2015 as a merger of Russian-language narco forums WayAWay and LegalRC, according to threat intelligence firm Flashpoint. The Russia-based service accounted for 80% of all darknet market activity and generated $1 billion in revenue annually, TRM Labs says.

"Hydra not only facilitated drug sales, but also offered money laundering services to cybercriminals, including ransomware attackers," says blockchain intelligence firm Chainalysis.

A confidential source tells Resecurity: "Hydra created an ecosystem. Everything you needed could be found there." But after Hydra went dark last April due to an international law enforcement operation led by German police, the source said there's now "an oversupply of goods."

As Flashpoint reported last August: "Hydra's demise predictably resulted in seismic shifts in the Russian-language underground." Rival RuTor surged in popularity, backed by marketplace OMGOMG - aka OMG!OMG! - with a pro-Ukrainian slant, while a pro-Russia faction began coalescing last May around Kraken, backed by WayAWay, which proponents promise will serve as a drugs-only marketplace that will become Hydra's replacement, it said.

TRM Labs reports that these four Russian-language offerings now account for 80% of all darknet market revenue: Blacksprut, Mega Darknet, OMGOMG and Solaris.

Kraken has yet to launch. But once unleashed, security experts say widespread backing and user demand for the service could help deliver on its darknet market monopoly ambitions.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.