The Rise and Fall of Dark Web Marketplaces

Posted on March 9, 2020 by Liran Sorani

read the article

Last year was a particularly tumultuous year for dark web marketplaces, with the successful shutdown of major dark web marketplaces Valhall and Wall Street Market. Dream Market, perhaps sensing law enforcement on their tail, preemptively closed their marketplaces as well. 

After shutting down, however, these marketplaces tended to quickly re-brand, springing up as new sites that are often more powerful than the previous. But this is not completely new. According to cryptocurrency investigation and compliance firm Chainalysis, traffic on AlphaBay and Hansa, successors to Silk Road, had 5 times as much traffic in 2017 as Silk Road ever did

So how can law enforcement agencies (LEA) not only find these dark web marketplaces and their administrator but keep their eye on the constant reincarnations of these sites, making it more difficult for future crimes to be executed?  

A Constant Game of Cat and Mouse 

Federal investigators need several different factors to come into play to successfully find darknet marketplace admins. First, they track the site activity over a period of time, waiting for a careless error like a misconfigured CAPTCHA that reveals the IP of the admin, as was the case with Silk Road 1. Next, investigators need to carefully coordinate the efforts of different governmental agencies across geographic regions, aided by dark web monitoring technology. 

Let’s examine a few examples of how an advanced dark web monitoring service can help LEA keep up with these marketplaces as they continually open, close and evolve into new sites and marketplaces. 

Monitoring Migrating Marketplaces into Chat Platforms

Since Tor is no longer considered safe fully anonymous, cyber criminals are quickly moving to more seemingly secure platforms, such as the Invisible Internet Project (I2P), an anonymous peer-to-peer network that encrypts user’s traffic and shuttles it through a network of over 50,000 computers around the world. 

In this post found in Webhose’s Cyber API, the admin of the Libertas marketplace is announcing their move to the I2P network. 

Identify the Closing and Reopening of Marketplaces in Near Real-Time

Before Dream Market announced it would shut down on April 30 2019, it had been considered the second-largest darknet marketplace to date. In just 5 months before Samsara closed its site on November 9, 2019, it prospered as a marketplace with over 500 vendors and 30K posts. As of the publishing of this post, no one knows the real reason behind the shutdown. 

Samsara Website Homepage

Through careful dark web monitoring, however, investigators may have been clued in advance of the shutdown. 

Here is a post indicating that Samara is experiencing heavy DDoS attacks:

Although this could be a troll post or someone imitating a SamaSara Market admin; it’s often an indicator that there is instability in a marketplace. Law enforcement investigators can take these posts into consideration when keeping their eye on these darkweb markets and going after the admins. The original post is no longer available; but it can be found in Webhose’s Cyber API repository. 

Here’s another example of how advanced web monitoring technology was able to identify one of these evolving markets. 

Tochka, a dark web marketplace selling illegal drugs, stolen data and other services. It began offering its services as early as 2015. The marketplace stopped working on November 28, 2019 without any prior notice. Users claimed that it was due to an exit scam but it is unclear what actually happened. But just a few days later after the shutdown on December 3, 2019, Webhose’s Cyber team identified a new marketplace, Axcess Market, that uses Tochka’s website template. This was seen in striking similarities to the UX/UI and site architecture of the two sites (i.e. similar homepages, login and site categories). 

Image result for tochka marketplace

Tochka marketplace homepage displaying products for sale

The new marketplace could have been created to replace Tochka or it could indicate an intentional exit scam. It could also indicate repeated DDoS attacks or other severe issues that forced the admins to open a new marketplace (similar to what allegedly happened to Dream Market). 

Axcess Market vendor selling fake driver’s license

Whatever the reason behind the shutdown, early alert as to the new marketplace can give LEA a heads up and advantage when pursuing these admins.

Identify Marketplace Evolutions Through Actor Keyword Search

Let’s examine a more complex example of how Webhose’s Cyber API can continue to monitor sites as they evolve as different marketplace reincarnations. 

A mere two months later after Dream Market closed its marketplace, Samsara Market opened its doors, with all the functions and capabilities of Dream Market. 

Advanced dark web monitoring can also provide strong evidence that Samsara was opened by a former dream staff member by searching across the millions of sites, files, marketplaces, message platforms and forums to find posts by the same actor. 

Here is an example of a post from a user by the name of “Waterchain” in a darknet forum (calling itself the “Avengers” forum) claiming to be the admin of Dream Market and that he has been caught by the Dutch police. He also warns other users to encrypt the addresses and tumble their Bitcoins to avoid his same fate.

Although that forum is no longer active, a record of it has been maintained in the Cyber API. 

Using a comprehensive search advanced dark web monitoring service that allows searching of posts across all endpoints, we find a post mentioning the same user 2 months later. 

The message in a Dread forum announced that: 

“As again We ‘SamSara Staff including Waterchain” will be using this account announcing everything related to SamSara Market. Waterchain is not banned and the account has been voluntarily removed, as you probably have noticed some other user has registered the name “Waterchain and is making indeed troll posts.”

Note that this post was particularly interesting as a connection was made between the Waterchain user in both Dream market and Samsara markets. 

To Catch A Dark Web Cyber Criminal

It becomes impossible for LEA to stay on top of the constant rise and fall of the seemingly infinte number of dark web marketplaces. Today we find that law enforcement agencies rely on dark web monitoring to stay a step ahead of marketplace admins and their frequent evolutions. The history of a marketplace cannot be restored from the dark web, but only through an advanced monitoring service that can leverage actor profiling based on monitoring of an actor’s activities and interactions. Although it takes only one mistake for these actors to be caught by LEA, they need to first be able to find this mistake – which can be done through comprehensive and constant monitoring of as many dark networks as possible.