Hot on the heels of our recent blog titled Revil: Analysis of Competing Hypotheses, the Photon Research Team is back with a new Structured Analytical Technique (SAT) to make sense of an exciting event in the threat landscape: the sudden comeback of AlphaBay marketplace. Based on the data available, we decided to opt for a SWOT analysis to answer questions like: Is AlphaBay 2.0 a credible new marketplace? Why has it been recreated just now?

SAT exercises can be a highly beneficial way to overcome intelligence analysts’ inherent cognitive biases, such as group thinking, confirmation biases, and overconfidence. Instead, these exercises force analysts to question their key assumptions and to consider different perspectives and opinions on a given topic. For example, in this SWOT analysis, we noticed how most of the strengths highlighted were hiding a corresponding weakness, thus generating a complex – yet more reliable – picture of the whole matter.

Before diving into the main findings of this exercise, let’s have a quick recap so we’re all on the same page. Who’s AlphaBay? Where are they back from? And most importantly, what on earth is a SWOT analysis?

SWOT’s a SWOT Analysis?

Open any business management textbook and you’ll find that a SWOT analysis is a strategic exercise to assess the Strengths, Weaknesses, Opportunities, and Threats in any situation that requires a decision in strategic planning. Widely popular in fields like business intelligence and marketing, using SWOT allows analysts to gather a comprehensive picture of a predetermined phenomenon and reason around it holistically. 

Along with limiting cognitive biases, a SWOT analysis is also helpful to brainstorm fresh perspectives and ideas. Analysts should always be encouraged to speak up with their thoughts and counter each other’s arguments – as is often the case, the most provocative perspectives tend to spark the most engaging discussions, thus leading to remarkable findings. 

Example of a SWOT table to drive the discussion
Example of a SWOT table to drive the discussion

 

Once the house rules are established, every SWOT analysis has a table like the one above. As analysts take notes as they go through the discussion, this table will progressively offer a comprehensive and organized picture of the phenomenon observed. 

Once the internal discussion is over, and all the four sections are completed, it is time to disseminate the findings. Dissemination can happen in various ways and be internal (i.e., a PowerPoint presentation to the C-suite) or external (you got it, just like this blog). Intelligence for intelligence’s sake is not helpful to anyone, and ensuring clear communication of the process and findings of the SWOT analysis is then crucial for the success of these kinds of exercises.

Can the real AlphaBay please stand up?

As we mentioned above, the chosen topic for this SWOT exercise is the return of AlphaBay marketplace in the underground scene. As you may remember, AlphaBay was a marketplace established in 2014 that quickly rose to become a massive player in the cybercriminal community during its short-lived existence. Innovation and diversification were the two main drivers for this marketplace’s success–it was one of the first to implement escrow systems and digital contracts, as well as accepting cryptocurrencies such as Monero and Ethereum. 

After just three years of existence, AlphaBay had more than 200,000 active users and 40,000 vendors: numbers too big to be ignored by law enforcement. That’s why in July 2017, an international law enforcement operation managed to take down the marketplace and allegedly arrest one of its founders, user “Alpha02”, who later reportedly committed suicide in prison in Thailand. With AlphaBay’s demise, soon followed by the takedown of Hansa marketplace, law enforcement had managed to instill a profound sense of distrust in the cybercriminal community and create a substantial void in the dark web marketplace scene.

Banners announcing the seizure of AlphaBay
Banners announcing the seizure of AlphaBay and Hansa marketplaces (source: Europol)

Since that takedown, no one had heard from AlphaBay. But fast forward to August 2021, user “DeSnake”, an OG member of AlphaBay, announced the return of the historic cybercriminal marketplace following a four-year hiatus. This announcement took security researchers and cybercriminals alike by surprise. It’s not uncommon for cybercriminal operations to come back after a period of inactivity. Still, this comeback raised a few eyebrows due to the timing and the implications of this event. 

According to DeSnake’s words, AlphaBay has come back to honor the legacy of Alpha02 and offer a valid alternative to the “poor state of the current operating marketplaces.” DeSnake also claimed that AlphaBay 2.0 would prohibit ransomware discussion, COVID-19 vaccine listings, or malicious activity targeting former USSR countries. Additionally, the new marketplace will allegedly have seizure-proof systems to allow threat actors to withdraw funds in the event of a law enforcement operation and will also see the creation of a forum alongside the traditional marketplace.

Although the identity of DeSnake has since been verified by a third-party cybercriminal forum, cybercriminals still seem to be quite skeptical about this comeback. Digital Shadows (now ReliaQuest) has monitored their reactions in the past week and observed mixed opinions, with cybercriminals typically erring on the side of caution and awareness. Nonetheless, others seem to be willing to give the marketplace’s return the benefit of the doubt, given that “the community needs a better market, a market the way AlphaBay and Dream and Hansa were,” according to one cybercriminal forum user. 

AlphaBay’s SWOT analysis

Following the events described above, two questions inevitably arise: Is this a legitimate comeback from AlphaBay? Why have they come back just now after four years of inactivity? The Photon Research Team used these questions to drive the SWOT analysis–here is a summary of our findings.

Strengths

  • Street credibility

If one thing is sure, there are very few cybercriminals who haven’t heard the AlphaBay name at some point. This marketplace had a massive reputation during its tenure and is still regarded as one of the big names in the community. Reputation and credibility are critical drivers for cybercriminal forums and marketplaces. Therefore, it is likely that cybercriminals will inevitably be attracted to at least check out AlphaBay 2.0 and, in some instances, maybe even adopt it as their first choice. Additionally, more legacy members from the original AlphaBay could come back to this new marketplace. In that case, new users may feel safer in using it as well, thus causing a snowball effect. 

  • New features

Along with being renowned for its stability, the new AlphaBay has allegedly introduced new features to improve the security of its platform. The most important addition is probably “AlphaGuard,” a system thought to allow threat actors to withdraw funds even if all servers are seized by law enforcement–not a random feature given past experiences. This way, even skeptical users who may be afraid of DeSnake being compromised by law enforcement should feel safer, given that this system is in place. Will it be reliable, though? That we cannot say.

On top of that, DeSnake has announced its intention to make AlphaBay the first decentralized cybercriminal marketplace, i.e., a place where vendors can independently carry out their sales. At the same time, AlphaBay provides the infrastructure and works to solve internal disputes. 

AlphaBay’s “decentralized cybercriminal marketplace’s project

 

  • New rules to avoid unwanted attention

If you remember, following the Colonial Pipeline ransomware attack, some cybercriminal forums and marketplaces banned all things ransomware to avoid unwanted law enforcement attention. That’s why when we first read about DeSnake’s intention of recreating AlphaBay, we initially thought that this platform could become a safe haven for ransomware operators to differentiate itself from its competitors. However, it seems that we were wrong.

The new rules explicitly prohibit talking about ransomware operations and recruiting new operators for existing gangs. Additionally, likely to avoid law enforcement attention, the new admin also banned selling COVID-19 vaccines. While these claims serve to reduce the chances of an imminent takedown by Western law enforcement officials, admins put in place new rules to avoid Eastern takedowns as well. The prohibition against targeting and discussing attacks against organizations in former USSR countries should then be seen through this lens.

Weaknesses

  • Compromised admin?

The first fundamental weakness discussed during our exercise was the potential of a law enforcement infiltration in this operation. While third parties have confirmed DeSnake’s identity as the previous security admin of AlphaBay, some users have questioned their reliability and wondered whether DeSnake could have been compromised by law enforcement during the site’s four-year absence.

It wouldn’t be the first time that law enforcement has adopted a similar approach to bust cybercriminals. Following AlphaBay’s takedown, many users moved to Hansa to conduct their business. However, law enforcement managed to take over – rather than take down – that marketplace, thus enabling them to trace and arrest many users. 

  • Criminal comebacks are rarely successful

As Photon stated in a blog titled Tracing The Rise And Fall Of Dark Web Marketplaces And Cybercriminal Forums, “It’s often the case that a sequel to a great book or a remake of a once-popular TV series doesn’t generate the same enthusiasm or excitement as the original.” Cybercriminals tend to be quite wary of these comebacks and are overly cautious when law enforcement was previously involved in taking down operations.

Nonetheless, there have been some successful comeback instances. The English-language cybercriminal forum Torigon was initially created in September 2019 with the bold intention of unifying the Russian- and English-speaking cybercriminal landscapes. Torigon’s first attempt didn’t go well, and the forum suffered heavy DDoS attacks from competitors, forcing its admins to shut it down. However, after some work in the backend, the forum returned after a few months of absence and started to gain the momentum it never really achieved the first time around.  

  • User base will be slow to grow

A mix of skepticism and traditional criminal reluctance can be the basis of this third weak point. Cybercriminals are slow to adapt to new forums and marketplaces when the old, reliable one is still working. As such, it will be difficult for AlphaBay to convince many users to abandon their current platform of choice and move to theirs. 

The new rules won’t help either. If AlphaBay provided a safe haven for ransomware actors, this marketplace might have attracted many threat actors to its platform. On the other hand, that would have also put AlphaBay at the top of the law enforcement priority list. A tricky balance to reach, here.

  • No exit scam protection

In addition to the points discussed above, a fourth one deserves attention, and it refers to problems tied with the previous AlphaBay. Although the new platform has the “AlphaGuard” system to protect from law enforcement activity, there’s still no system to protect users from the evergreen exit scam.

Opportunities 

  • Reunite the community under one roof

According to DeSnake, one of the main reasons for recreating AlphaBay was the decaying state of current cybercriminal marketplaces. Some nostalgic users even applauded this initiative, claiming that it is about time for a one-for-all space for the cybercriminal community to reunite in. This is a big opportunity for the new AlphaBay, and using this purpose to attract new users may well work in the long term. 

  • Untapped market?

During our scheduled deployments to the new AlphaBay, we noticed how the number of products on sale has grown along with the marketplace itself. Nonetheless, at the time of writing, AlphaBay 2.0 still has a substantial leaning towards illicit drug listings rather than cybercriminal tools. 

Although some users may perceive this as a liability, it will be interesting to observe what direction AlphaBay will take over time. At the moment, there aren’t a lot of criminal marketplaces focusing on illicit drugs like a few years ago, so maybe AlphaBay will try to exploit this untapped market to get some initial traction.

  • Opportunities for new threat actors

As we mentioned above, AlphaBay’s name speaks for itself. That’s why we saw this venture as an opportunity for emerging threat actors to jump on this platform in its early stages to build their reputation before others. If AlphaBay is really set to take off in the near future, the earlier these actors consolidate their position, the better it is.

Threats

  • Fragile reputation

We had a lot to talk about regarding threats to AlphaBay’s existence during our internal conversation. One of the first that comes to mind is its fragile reputation. Several users have already questioned the new admin’s credibility, given that they were responsible for technical support during the law enforcement takedown in 2017. Consequently, many were wondering if DeSnake could be trusted this time.

Add on top of that the observation that AlphaBay 2.0 needs a lot of immediate traction to start competing with the other existing marketplaces. You can see where one of its central liabilities is. Rumors about a potential fraudulent operation (be that an incoming exit scam or law enforcement take over) could well mean the end of this new experiment. 

  • Law enforcement activity

Unsurprisingly, another pressing threat for AlphaBay comes from law enforcement. An international operation in 2017 managed to take down that massive platform and arrest some key members. It wouldn’t come as a surprise to see law enforcement would attempt to take it down again if AlphaBay were to rebuild part of its massive user base. 

Additionally, the possibility of facing a law enforcement “honeypot” operation with the creation of AlphaBay 2.0 can still be considered realistic; however, during our discussion, we assessed this threat as unlikely given the extensive resources needed to conduct such an operation.

  • Tough competition

Finally, a key point: AlphaBay doesn’t exist in a vacuum. Although the cybercriminal community has not fully recovered from the 2017 blows to AlphaBay and Hansa, there are still plenty of active marketplaces and forums in the English- and Russian-language scenes. As such, AlphaBay’s success is threatened by these other actors that have no intention of giving up their platforms.

Additionally, when AlphaBay 2.0 claims to intend to reunite shuttered cybercriminals under one roof, it is indirectly posing a threat to other marketplaces’ existence. Turf wars are not uncommon in this space. Therefore, it is realistically possible that other platforms may attack the new AlphaBay, possibly in the form of a Distributed Denial of Service (DDoS) attack – something that we have frequently observed in the past.

Recap of the findings

The return of AlphaBay in the cybercriminal community has been a momentous event that has the potential to reshape the current marketplace threat landscape. Innovative tactics and a void in that environment are the most promising strengths and opportunities to drive AlphaBay to recover its old prestige. On the other hand, several weaknesses and threats coming from law enforcement and its competitors make the way to the top quite troublesome.

Simplified version of Digital Shadows (now ReliaQuest) SWOT analysis’ findings 
Simplified version of our SWOT analysis’ findings 

Ultimately, it’s a long way to the top if you wanna rock’n’roll. Only time will tell whether AlphaBay will establish itself as a key player in this threat landscape or whether we will add this comeback to the list of the failed ones. In the meantime, Digital Shadows (now ReliaQuest) will continue to monitor for indicators of change to assess our judgment on the topic continuously. For example, the number of products sold, the presence of known threat actors, and growth in the user base can be essential signs for future analyses. 

Curious about how Search Light (now ReliaQuest GreyMatter Digital Risk Protection)’s threat intelligence can help in monitoring cybercriminals’ marketplaces and forums? Take a seven day test drive of it here, or sign up for a demo.