Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Era of the eBay-Like Underground Markets Is Ending

Report: Cybercriminals Moving to Secure Chat Platforms, Conventional Forums
Era of the eBay-Like Underground Markets Is Ending
Takedown notices displayed on the Hansa and AlphaBay darknet marketplace homepages.

It probably wasn't a good idea anyway: Creating an underground online market with all the features of eBay, but offering a smorgasbord of fake IDs, drugs, malware and stolen credit card numbers.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The most famous market, Silk Road, was shuttered in 2013 after an off-duty IRS agent discovered an email address that led to its lead developer, Ross Ulbricht. Last year, AlphaBay was seized after a similar mistake by one of its developers, and Hansa fell after law enforcement manage to infiltrate the site (see Police Seize World's Two Largest Darknet Marketplaces).

Other underground markets, such as Dream Market and Olympus, are still around. But neither match the popularity of AlphaBay, says Digital Shadows, a threat intelligence company that studies cybercrime.

Telegram channels for buying and selling payment card details (click to enlarge). (Source: Digital Shadows)

The company issued a new report earlier this week that notes that cybercriminal activity certainly isn't declining, but the era of the underground market may be passing. Instead, cybercriminals are doing deals using encrypted chat platforms.

"The primary channels are Telegram, Discord, Skype, Jabber, and IRC," the report says. "With buyers and sellers spread widely across an increasingly decentralized community, the belief is that it will be more difficult for law enforcement."

Indeed, law enforcement agencies in the U.S., U.K., and Australia have warned that the increasing use of encryption, especially over chat services, is posing difficulties for crime investigators. While some experts contest the claims, law enforcement is pushing for legislation to put greater pressure on the technology industry to assist decryption efforts (see Australia Plans to Force Tech Companies to Decrypt Content).

Risky Operations

A variety of factors are contributing to the decline of underground marketplaces, Digital Shadows says.

Markets such as the Silk Road and others were "hidden" websites, which used the Tor anonymity system to mask the sites' real IP addresses. But setting up the sites and maintaining them poses risks. No one person can do it all alone. It's also not cheap, Digital Shadows says.

Administrators must pay for staff, bulletproof hosting, DDoS protection and sometimes bug bounty programs. The dependence on other players and services also creates more touch points for law enforcement investigators to tap.

Bogus US$20 bills for sale on Wall Street Market, an active underground site.

Plus, buyers are becoming increasingly skittish, afraid of being duped into ordering from a site that been co-opted by the law. Then there's also fear of losing money to scammers on an underground site, a somewhat ironic risk.

"Conducting online transactions on underground marketplaces has always entailed a high degree of risk," Digital Shadows says. "Site owners often perform exit scams and steal funds from customers, sellers sometimes renege on their promises and the threat of law enforcement always looms large."

Blockchain-Based DNS

The danger of running and transacting with underground marketplaces has driven some back to conventional forums, such as Exploit[dot]in, with deals made directly between buyers and sellers over encrypted chat.

Those forums have also sought to increase their security and privacy protections, including use of blockchain-based DNS, Digital Shadows says.

Blockchains are distributed, peer-to-peer ledgers that record transactions for virtual currencies, such as bitcoin. Blockchains are relatively tamper proof and can be used to store any type data, not just transaction data.

Many users see blockchain-based DNS as a way to preserve anonymity when registering domain names and avoiding censorship. Projects include Namecoin and Emercoin.

The top-level domains for websites using blockchain DNS systems sit outside the normal DNS, so a plugin or a proxy service has to be used to successfully resolve a domain.

But once domain registration information has been lodged into a blockchain, the domains are resistant to DNS-related censorship and hijacking. That has already made DNS blockchains appealing to malware writers, FireEye wrote in April.

Digital Shadows says the Joker's Stash site, a well-known carding site, is using .bazar TLD, which is an Emercoin TLD, in addition to a .onion domain.

"As blockchain domains do not have a central authority, and registrations contain a unique encrypted hash of each user rather than an individual's name or address, it is much harder for law enforcement to take down criminal sites," the report says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.