The Rise and Fall of Dark Web Marketplaces

rise-fall-marketplaces

Last year was a particularly tumultuous year for dark web marketplaces, with the successful shutdown of major dark web marketplaces Valhall and Wall Street Market. Dream Market, perhaps sensing law enforcement on their tail, preemptively closed their marketplaces as well. 

After shutting down, however, these marketplaces tended to quickly re-brand, springing up as new sites that are often more powerful than the previous. But this is not completely new. According to cryptocurrency investigation and compliance firm Chainalysis, traffic on AlphaBay and Hansa, successors to Silk Road, had 5 times as much traffic in 2017 as Silk Road ever did

So how can law enforcement agencies (LEA) not only find these dark web marketplaces and their administrator but keep their eye on the constant reincarnations of these sites, making it more difficult for future crimes to be executed?  

A Constant Game of Cat and Mouse 

Federal investigators need several different factors to come into play to successfully find darknet marketplace admins. First, they track the site activity over a period of time, waiting for a careless error like a misconfigured CAPTCHA that reveals the IP of the admin, as was the case with Silk Road 1. Next, investigators need to carefully coordinate the efforts of different governmental agencies across geographic regions, aided by dark web monitoring technology. 

Let’s examine a few examples of how an advanced dark web monitoring service can help LEA keep up with these marketplaces as they continually open, close and evolve into new sites and marketplaces. 

Monitoring Migrating Marketplaces into Chat Platforms

Since Tor is no longer considered fully anonymous, cyber criminals are quickly moving to more seemingly secure platforms, such as the Invisible Internet Project (I2P), an anonymous peer-to-peer network that encrypts user’s traffic and shuttles it through a network of over 50,000 computers around the world. 

In this post found in Webz’s Cyber API, the admin of the Libertas marketplace is announcing their move to the I2P network. 

bY1h1tk6DEQSJmYxnVd1SbYN l9vZSUXCDLB8pITrFeNWkXA8WN63b2k7BWX4xGdxnb0pKMo3mKqk51i OvnGRb00WQlR8dcvTlOF5ZjX1UG3LeAimyNjFrgylf oKghHDjf8knk

Identify the Closing and Reopening of Marketplaces in Near Real-Time

Before Dream Market announced it would shut down on April 30 2019, it had been considered the second-largest darknet marketplace to date. In just 5 months before Samsara closed its site on November 9, 2019, it prospered as a marketplace with over 500 vendors and 30K posts. As of the publishing of this post, no one knows the real reason behind the shutdown. 

aNuV2j6wyfC4k63BD3HX7WI5 5TZy4 ntfLmLDLVhWsPQSRFWWidg PNe9rOx0MPre CM6nOij1U8v 66RG1zT7YeMMUYXmIkTHBSuCQgL 5lMIr 6xhwhd4sHTMM4a k5MmuLJ

Samsara Website Homepage

Through careful dark web monitoring, however, investigators may have been clued in advance of the shutdown. 

Here is a post indicating that Samsara is experiencing heavy DDoS attacks:

jcrrUK1mWMLp6DeUzh 8bV 5MArgtARromReYc6RIrJY5tmk4T3NNs8En z60bQ3nu6lrRpGeA5k8oZJEyUj7IyttdoBMcdEEZh7RS4gckJRmz0MBAqEyWf4z9t0AzzXqfna7iuC

Although this could be a troll post or someone imitating a Samasara Market admin; it’s often an indicator that there is instability in a marketplace. Law enforcement investigators can take these posts into consideration when keeping their eye on these darkweb markets and going after the admins. The original post is no longer available; but it can be found in Webz’s Dark Web Monitoring API repository. 

Here’s another example of how advanced web monitoring technology was able to identify one of these evolving markets. 

Tochka, a dark web marketplace selling illegal drugs, stolen data and other services. It began offering its services as early as 2015. The marketplace stopped working on November 28, 2019 without any prior notice. Users claimed that it was due to an exit scam but it is unclear what actually happened. But just a few days later after the shutdown on December 3, 2019, Webz’s Cyber team identified a new marketplace, Axcess Market, that uses Tochka’s website template. This was seen in striking similarities to the UX/UI and site architecture of the two sites (i.e. similar homepages, login and site categories). 

Image result for tochka marketplace

Tochka marketplace homepage displaying products for sale

The new marketplace could have been created to replace Tochka or it could indicate an intentional exit scam. It could also indicate repeated DDoS attacks or other severe issues that forced the admins to open a new marketplace (similar to what allegedly happened to Dream Market). 

ZVD1QmXFWlzn82H CQFNCXKF4ZCNTJc7A8TxFA9ZgBCZ8mbuunW79j5XAMiN5Ej1Qez8nPeNp7mznxocig3bbg DRFe0ZILV8fLaSERdbx7UEHwhqchKb9qMa6XJySfGeT l6iB

Axcess Market vendor selling fake driver’s license

Whatever the reason behind the shutdown, early alerts of the new marketplace can give LEA a heads up and advantage when pursuing these admins.

Identify Marketplace Evolutions Through Actor Keyword Search

Let’s examine a more complex example of how Webz’s Cyber API can continue to monitor sites as they evolve as different marketplace reincarnations. 

A mere two months later after Dream Market closed its marketplace, Samsara Market opened its doors, with all the functions and capabilities of Dream Market. 

Advanced dark web monitoring can also provide strong evidence that Samsara was opened by a former dream staff member by searching across the millions of sites, files, marketplaces, message platforms and forums to find posts by the same actor. 

Here is an example of a post from a user by the name of “Waterchain” in a darknet forum (calling itself the “Avengers” forum) claiming to be the admin of Dream Market and that he has been caught by the Dutch police. He also warns other users to encrypt the addresses and tumble their Bitcoins to avoid his same fate.

Although that forum is no longer active, a record of it has been maintained in the Cyber API. 

YCDy5KOLFfykPf0YBFveIqbSSdYyU0vHpQd ODcWC8sGJA Y ifn16PKU1VnowdCq

Using a comprehensive search advanced dark web monitoring service that allows searching of posts across all endpoints, we find a post mentioning the same user 2 months later. 

The message in a Dread forum announced that: 

“As again We ‘SamSara Staff including Waterchain” will be using this account announcing everything related to SamSara Market. Waterchain is not banned and the account has been voluntarily removed, as you probably have noticed some other user has registered the name “Waterchain and is making indeed troll posts.”

Note that this post was particularly interesting as a connection was made between the Waterchain user in both Dream market and Samsara markets. 

To Catch A Dark Web Cyber Criminal

It becomes impossible for LEA to stay on top of the constant rise and fall of the seemingly infinte number of dark web marketplaces. Today we find that law enforcement agencies rely on dark web monitoring to stay a step ahead of marketplace admins and their frequent evolutions. The history of a marketplace cannot be restored from the dark web, but only through an advanced monitoring service that can leverage actor profiling based on monitoring of an actor’s activities and interactions. Although it takes only one mistake for these actors to be caught by LEA, they need to first be able to find this mistake – which can be done through comprehensive and constant monitoring of as many dark networks as possible.

SPREAD THE NEWS

Subscribe to our newsletter for more news and updates!

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.
Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
Create your API account and get instant access to millions of web sources