Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
A Fork in the Road: The three possible routes in 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Missed Opportunity: Existing markets are failing to capture market share . . . . . . . . . . . . . . . . . . . . . . 5
Barriers to Entry: The limited emergence of viable new markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Hidden costs to running a marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Getting it right takes time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Adapt or Fail: Increased adoption of alternative techniques and technologies . . . . . . . . . . . . . . . . . . . 8
Blockchain: Steady but not explosive growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
New measures to improving site security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Trading Channels: Alternative communication networks gaining traction . . . . . . . . . . . . . . . . . . . . . . . . 11
Out of Sight, But Not Out of Mind: Risks remain for businesses and consumers . . . . . . . . . . . . . . . . . 13
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 2
Executive Summary
When law enforcement announced the seizure of AlphaBay in July 2017, the United States Attorney General Jeff
Sessions described the operation as:
“one of the most important criminal investigations of the year…because of this operation, the American people are safer
– safer from the threat of identity fraud and malware, and safer from deadly drugs.” 1
The timing and coordination of the law enforcement operation, known as Operation Bayonet, was a clear success and
has contributed to multiple subsequent arrests.2 Almost one year later, the marketplace model appears to be in decline,
but the risks to businesses and consumers have not subsided. Instead, this paper demonstrates that cybercriminals have
taken to incorporating new processes, technologies, and communication methods to continue their activities.
• AlphaBay left a gap, albeit not as large as we may have assumed. Despite boasting over 40,000 vendors
and an estimated $1 billion in trade, AlphaBay was just one player within a much broader ecosystem.
Russian-speaking cybercrime, in particular, has been largely undisrupted.
• Existing marketplaces have failed to capitalize on the gaps. Within the English-speaking underground, the
Dream and Olympus markets have fallen short of satisfying the demands that AlphaBay once catered to.
• There are barriers to entry for new markets. Despite the residual demand for the services AlphaBay
provided, there are significant barriers to entry for people wanting to set up their own marketplaces. While it is
relatively easy to set up a marketplace, there are challenges with fostering trust amongst users, as well as hidden
monthly running costs.
• Blockchain experiences steady growth. Well-known criminal sites, such as Joker‘s Stash, have adopted
blockchain hosting. Another market using this decentralized technology, OpenBazaar, has experienced a growth
of four thousand new users in the last four months. Adoption of this technology is still in its infancy, but this is one
to look out for in future.
• Cybercriminals have increasingly shifted towards peer-to-peer networks and chat channels. Over the
last six months, we’ve observed over 5,000 Telegram links shared across criminal forums and dark web sites, of
which 1,667 were invite links to new groups. To a lesser extent, Discord is also being embraced by cybercriminals,
with 743 invites observed across criminal forums and dark web sites across the last six months. This retrenchment
away from the centralized marketplace in favor of a more diffuse model has been an ongoing trend that pre-dates
Operation Bayonet.
• Risks remain for organizations and consumers beyond the marketplace. There are four areas of concern
that are still present in the cybercriminal ecosystem despite the demise of AlphaBay and Hansa: 1) payment card
fraud, 2) account takeover, 3) counterfeits, and 4) insider threats.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 3
A Fork in the Road
The three possible routes in 2017
For the English-speaking community, the seizure of AlphaBay and Hansa in Operation Bayonet meant tens of
thousands of vendors and buyers had to look elsewhere to continue conducting their business. At the time of
AlphaBay’s disappearance in early July 2017 - when conflicting rumors of exit scams, site technical problems, and law
enforcement action crippled online discussion boards - we assessed that the post-AlphaBay future could take one of
three forms3:
1. An older, established market would replace AlphaBay. Historically, when popular marketplaces
disappear, users simply migrate to other well-known sites. The effects of law enforcement action are therefore
relatively short-lived, becoming a game of “whack-a-mole” where cybercriminals are always one step ahead.
2. A new marketplace would emerge from AlphaBay’s ashes. Some users were so fond of their former
haunt that they tried to form a new iteration of the site called GammaBay. Others suggested forming a new
site altogether. However, creating and maintaining a new marketplace is fraught with difficulties. Fostering
trust among a cybercriminal community that has grown increasingly nervous and skeptical of law enforcement
honeypot sites is a major challenge. Another barrier is the cost associated with building and operating an online
marketplace. Buyers and sellers are discerning, and sites like AlphaBay and Hansa need dedicated
administrators, support personnel, and technical knowledge to deliver the level of service required to be
successful.
3. Users would abandon the marketplace model and look for alternative solutions. Conducting online
transactions on underground marketplaces has always entailed a high degree of risk. Site owners often perform
exit scams and steal funds from customers, sellers sometimes renege on their promises, and the threat of law
enforcement always looms large. The AlphaBay and Hansa takedown revelations served to further disillusion
a large section of the cybercriminal community. This strengthened calls for new technologies and processes,
including increasing security and anonymity through the direct peer-to-peer (P2P) communication already
favored on more specialized forums, or enforcing more stringent vetting procedures for new members. Some
even entertained ideas of a more radical, fully-decentralized marketplace model, manifested in sites such as
OpenBazaar.
Almost one year since the AlphaBay and Hansa takedowns, no single marketplace has risen to the top, at least among
the English-speaking community. Mistrust and fear are rife, and this has, in part, prevented a new marketplace
(the second scenario) from flourishing. While some users have pined for the decentralized marketplace model, the
cybercriminal community has instead focused its efforts on decentralizing by conducting transactions across a variety
of chat and messaging networks, while also adapting their technologies and processes to increase the security,
reliability, and trust of existing sites. This retrenchment away from the centralized marketplace in favor of a more
diffuse model has been an ongoing trend that pre-dates Operation Bayonet. With no major alternative to AlphaBay
and Hansa, increasing numbers of users are turning to these alternative platforms.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 4
Missed Opportunity
Existing markets are failing to capture market share
At first it seemed to be business as usual; former AlphaBay vendors quickly began advertising their products on
other markets such as Hansa and Dream. The conversation quickly turned to which of these two sites would assume
AlphaBay’s mantle. However, Operation Bayonet’s clever use of Hansa to lure and capture AlphaBay “refugees” made
the online community very jittery. Rumors soon began flying about other potential law enforcement-controlled dark
web sites. Dream Market was a particular concern. Users were alarmed at the suspiciously low amount of downtime
experienced by the site, and many suspected it was in the hands of the police (Figure 1).
Figure 1: A post on reddit from 20 July 2017 claiming Dream Market was being operated by law enforcement
Although Dream Market may have seemed to be the natural successor to AlphaBay and Hansa, a combination of
poor user experience, uncommunicative administrators, and fear of law enforcement means the site has failed to
capture market share. Claims by users that their funds have disappeared, and the memory of Operation Bayonet, have
diminished trust in the site. As one user stated, while Dream is still live, it’s more of a “zombie” market: “the body is alive,
but the brain is dead and gone” (Figure 2).
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 5
Missed Opportunity
Existing markets are failing to capture market share
Olympus marketplace
Since February 2018, a relatively new site known as “Olympus” showed real promise of cementing itself as the most
popular dark web market (Figure 3). Its pleasing pastel color scheme, easy to navigate user interface, and
implementation of Monero cryptocurrency payments meant it developed a strong reputation. Trust, however, is a
fragile thing, and a miscalculation by the Olympus administrator saw the site’s reputation crumble in an instant.
On April 23, 2018 Olympus’ administrator claimed they were in the process of hacking Dread (Figure 4). Dread is – or
at least was – a reddit-style community run by a user (HugBunter) who was infamous for pointing out security flaws in
other dark web marketplaces.4
Figure 3: A screenshot of the Olympus market Figure 4: A post on Olympus market’s forum section
This was not a “hack” in the traditional sense. Instead, the Olympus administrator allegedly acquired access to the
Dread servers from an insider. What was significant about this incident was that the user community of Dread rallied
behind HugBunter, with the consensus being that Olympus was in the wrong and Dread was the innocent victim.
In the end, the moderators of Olympus issued an apology to the Dread administrators for their actions. Tellingly,
Olympus was aware of the damage it had caused to its own reputation, stating that it “will hire a good PR within the
next few days.”
Just as with legitimate businesses, a positive public image is important to drive revenue. At the time of writing,
Olympus was no longer accessible, and another potential successor to AlphaBay and Hansa seems to have bitten the
dust.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 6
Barriers to Entry
The limited emergence of viable new markets
The Olympus saga is a timely reminder of how trust can
make or break a marketplace. Prospective customers
fear exit scams, law enforcement stings, and unreliable
vendors. Therefore, overcoming trust is a significant
barrier to any new player in the marketplace game. But
it’s not the only hurdle.
Figure 5: A post on Nethingoez from May 2018
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 7
Adapt or Fail
Increased adoption of alternative techniques and technologies
With dark web markets struggling to fill the void left by AlphaBay and the high barriers to entry for establishing
new marketplaces, the trend has been for users to retreat back to more specialized forums. Even before Operation
Bayonet, there have been other forums specifically dedicated to hacking and security, which often act as a platform
for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as
ransomware variants, exploit kits, compromised accounts, and payment card data. These sites work on a direct transfer
system where vendors and customers will communicate directly to arrange payment, often through messaging
services such as Jabber. Sellers advertise their products on these forums, and then direct users to dark web sites or
private channels to arrange payment. Since the takedowns of AlphaBay and Hansa, administrators of these forums
have been incorporating alternative technologies and processes for added security and trust among users. These four
are blockchain DNS, user vetting and site restrictions, domain concealment, and migration to chat and peer-to-peer
networks.
Blockchain DNS
Domain concealment
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 8
Adapt or Fail
Increased adoption of alternative techniques and technologies
Blockchain: Steady but not explosive More than simply combatting law enforcement action,
growth Blockchain technology has allowed users to imagine
alternative models for decentralized marketplaces – the
In July 2017 the Joker’s Stash (Figure 7), a popular
site known as Tralfamadore being a notable example
Automated Vending Cart (AVC) site offering stolen
already in operation. Blockchain serves as the back-end
payment card details, shifted from a Tor domain to a
for Trafalmadore, storing the necessary databases and
decentralized Blockchain domain name system (DNS).
code to support front-end user interfaces. All transactions
As well as a .onion domain, Joker’s Stash now hosted a
are made using cryptocurrency and recorded as smart
.bazar domain that required users to install a Blockchain
contracts on the blockchain. This addresses problems
DNS browser extension or add-on. The site was not the
with user trust; if all transactions are permanently and
first to implement decentralized DNS – a group called
immutably recorded, vendors who attempt to scam other
The Money Team also created a .bazar domain in January
users can be more easily identified.6
2016.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 9
Adapt or Fail
Increased adoption of alternative techniques and technologies
Another challenge for site operators is how to vet and limit your userbase to ensure only reputable and genuine users
have access. Operation Bayonet has made forum users hyper-sensitive to the threat of law enforcement posing as sellers.
One increasingly popular form of site regulation within these communities has been the creation of a forum lifecycle.
This is a process of limiting new users’ access to a forum through mechanisms such as posting limits and area access
restrictions. For the latter, newer users might require a certain level of positive feedback from other members to progress
to certain areas of the site.
Alternatively, they may need to pay for a premium subscription, or have multiple invitations or referrals from established
members. In addition to reducing the likelihood of potentially subversive users from infiltrating the site, these
mechanisms also have a strategic objective: by establishing a hierarchy, older, more established users can post more,
and hence sell more to maintain their ‘top vendor’ status.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 10
Adapt or Fail
Increased adoption of alternative techniques and technologies
Telegram
We’ve observed a notable increase in the use of One such example is the OL1MP marketplace (Figure 10),
Telegram, with over 5,000 Telegram links shared across a Telegram-based marketplace that provides cashing out
criminal forums and dark web sites over the past six services. Cashing out is a way to monetize stolen payment
months. Of these, 1,667 were invite links to new groups. card information. Users can easily select the type of good
These covered a range of services, including cashing out, or service, like drugs or vacations, they wish to purchase
carding, and crypto currency fraud. with their stolen cards.8
Within these Telegram channels, sellers post advertise- OL1MP ties in this automated effort with a human touch.
ments of their products and services as they would As with most marketplaces, reviews are important for
normally do on a marketplace or forum (Figure 9). Buyers attracting new customers. In fact, extra discounts are
can then contact the seller directly in a private chat available for those individuals who post pictures and
message and conduct the transaction using cryptocur- positive comments from their carded vacations.
rencies or electronic payment services.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 11
Adapt or Fail
Increased adoption of alternative techniques and technologies
Discord
The sentry[.]mba forum has also joined this move to
new platforms. This forum was a popular site for users
looking to purchase proxies and configuration files for
Sentry MBA, a popular credential stuffing tool favored by
cybercriminals. For several months, the site made use of
a new Discord channel, providing a better user interface
and automated bots to make transactions easier.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 12
Out of Sight, But Not Out of Mind
Risks remain for businesses and consumers
As it stands, the marketplace model appears to be in decline, but it would be naive to assume that law enforcement
efforts such as Operation Bayonet have drastically reduced cybercriminal risks to both businesses and consumers.
Instead, as recent developments have shown, cybercriminals have taken to incorporating new processes, technolo-
gies and communication methods to continue their operations. Cybercrime will find a way.
To better understand the risks to businesses and consumers, it’s important to consider the types of data and services
advertised within dark web markets and forums, and how cybercriminals are adapting so that they can continue
making profit. Aside from offering drugs and weapons, cybercriminal marketplaces also facilitated the trade of
payment card data, counterfeits, compromised accounts, and insider threat information. With the shift towards new
processes, technologies, and communication methods, cybercriminals have increasingly taken to using specialist sites
and forums (for example AVCs, carding, and hacking forums) to advertise their services, before conducting transac-
tions on private communication channels. Moreover, we’ve noticed an increase in cybercriminals using Telegram
and Discord channels as standalone platforms to advertise their products, connect buyers and sellers, and facilitate
payment.
For businesses and consumers, preventing your data from circulating within the cybercriminal ecosystem is a major
challenge. The increased security mechanisms and technologies now add further hurdles. Nevertheless, here are four
general tips that can help reduce the chances of your data falling into unsavory hands:
Know where your most sensitive data resides, and then understand how a cybercriminal would monetize that data.
With this baseline understanding, you can move on to the following steps:
1. Monitor the open, deep, and dark web for mentions of your business, brand, or personal information.
2. Increase your monitoring to cover peer-to-peer platforms and messaging channels that are increasingly being
used by cybercriminals.
3. Use unique and strong passwords on your most sensitive or personal accounts, and enable multifactor authenti-
cation to prevent account takeovers.
4. Don’t forget about third parties. Contractors and suppliers with privileged access to your sensitive information
are also a weak point. Monitor and secure your supply chain networks in the same way you would your own
employees and assets.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 13
End Notes
1. https://www.justice.gov/opa/pr/alphabay-largest-online-dark-market-shut-down
2. http://www.bbc.co.uk/news/uk-43965622
3. https://www.digitalshadows.com/blog-and-research/cybercrime-finds-a-way-the-limited-impact-of-alphabay-and-hansas-
demise/
4. https://www.digitalshadows.com/blog-and-research/the-other-side-of-the-counter-ddos-social-engineering-spambots-
and-insider-risks-to-criminal-locations/
5. https://www.cyberscoop.com/alphabay-bug-private-messages-darkweb/
6. https://www.digitalshadows.com/blog-and-research/the-future-of-marketplaces-forecasting-the-decentralized-model/
7. https://www.digitalshadows.com/blog-and-research/genesis-botnet-the-market-claiming-to-sell-bots-that-bypass-finger-
printing-controls/
8. https://www.digitalshadows.com/blog-and-research/ol1mp-a-telegram-bot-making-carding-made-easy-this-holiday-sea-
son/
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 14
About Digital Shadows
Digital Shadows provides insight into an organization’s
external digital risks and the threat actors targeting them.
Digital Shadows SearchLight™ service combines scalable
data analytics with human analysts to monitor for cyber
threats, data leakage, and reputation risks. Digital Shadows
continually monitors the Internet across the visible, deep and
dark web, as well as other online sources to create an
up-to-the minute view of an organization and provide it with
tailored threat intelligence. The company is jointly
headquartered in London and San Francisco. For more
information, visit www.digitalshadows.com.
info@digitalshadows.com
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 15