Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Don’t Turn out the Lights on Dark Web Marketplaces

We’ve all heard the phrase: “When one door closes, a window opens.” You can bet that as you’re reading this, those engaged in cyber crime on the dark web are looking for that next ‘market place window’ to open.

We’ve all heard the phrase: “When one door closes, a window opens.” You can bet that as you’re reading this, those engaged in cyber crime on the dark web are looking for that next ‘market place window’ to open.

The takedown of AlphaBay by an international law enforcement investigation, followed soon thereafter by the takedown of Hansa, has left many wondering about the future of dark web market places. An erosion of trust in these more established marketplace models will likely derail efforts by others to fill the void quickly. But the fact remains, sellers still need to find customers and customers still need access to illicit goods and services. So what’s next for illegal, online trade?

As I’ve discussed before, it is important to remember that criminal activity isn’t limited to the dark web, particularly given the fact that some countries don’t extradite cybercriminals. This is especially the case with more sophisticated level Russian-speaking criminals. With minimal consequences, bad actors have no incentive to hide. As a result, cybercrime is an Internet-wide problem, almost equally present on the deep and open web.

That said, it’s also safe to assume that disillusioned buyers are seeking alternative, more secure and anonymized methods for conducting online transactions via the dark web. Despite the popularity and convenience of AlphaBay for selling drugs and credit card information, for years cybercriminals selling sensitive data or malware variants frequently opted for direct peer-to-peer (P2P) communication and relationships made on specialized forums. The P2P model provides more control and helps safeguard against exit scams and loss of funds, which weighed heavily on vendors and customers.

We’re now seeing a more “formalized” approach to this method of trade. One of the first fully-decentralized P2P marketplaces is known as OpenBazaar, an open source project that allows the unrestricted sale of goods between anonymous buyers and sellers. OpenBazaar is accessed through a front-end client that can be freely downloaded from the project website. All transactions are made using Bitcoin and are recorded on the project Blockchain as cryptographically signed smart contracts. This addresses problems with user trust; if all transactions are permanently recorded, vendors who attempt to scam buyers can be more easily identified. Furthermore, platform operators have no control over listings and the platform is split among many nodes, making it highly resilient to law enforcement takedowns or attacks by other criminal actors.

The success of these new marketplaces remains to be seen and depends on these five drivers:

1. Adoption – Blockchain projects are not yet mainstream and are not widely understood. These platforms must become more commonly used before criminal actors will trust and embrace them.

2. Content control – Lack of centralized control is a double-edge sword, it makes the platform resilient but it also means there is less control over the material uploaded, opening up the door to material that even criminal actors find objectionable. Marketplaces that implement some level of content control will be more attractive.

Advertisement. Scroll to continue reading.

3. Vendor attraction – Customers want to shop at marketplaces with successful vendors. Those market places that attract prominent vendors will naturally become more popular.

4. Secure communications – Blockchain-based platforms publicly record all messages, complicating private messaging between users. Platforms that can integrate secure messaging systems without compromising performance will attract more criminal actors.

5. User experience – As with all shopping experiences, marketplaces that can establish stable, feature-rich interfaces that seamlessly integrate payment platforms (in this case cryptocurrency platforms) will entice more users.

The emergence of decentralized marketplaces within the criminal ecosystem poses significant challenges for law enforcement agencies and private security vendors. Although public blockchains can be freely mined for data, the very high volume of content is likely to make parsing this information and developing actionable intelligence very technically and logistically challenging. Furthermore, previous law enforcement operations targeting criminal marketplaces or forums have tended to revolve around targeting site operators or geo-locating servers and conducting raids; neither of these would likely be effective for targeting a decentralized platform. In this scenario, it would be more effective to target individual prominent vendors or vendor networks and attempt to identify and locate them, admittedly a more piecemeal approach.

Decentralized marketplaces are not yet the dominant model, with many buyers and sellers having moved to Dream marketplace. However, there is growing interest in this model and we’ll be keeping tabs on what forms they will take, as well as how law enforcement and security researchers will overcome the challenges they present.

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights