The law enforcement operations that took down the AlphaBay and Hansa marketplaces were meant to strike a sizable blow to the online trade of illegal goods and services. Frequenters of these services might now think twice before placing their trust in these unregulated platforms, and there may well be further arrests to follow as investigations and analysis into the materials seized in these raids run their course.
However, when a drug enforcement operation completes a major bust or arrests a large number of individuals, there is often always another group, or new recruits, ready to fill the void. Similarly, our analysis of the broader cybercriminal ecosystem suggests that the impact of the AlphaBay and Hansa closures will be somewhat short-lived, for at least three reasons:
1. The game of whack-a-mole continues, cybercrime will find a way
With AlphaBay and Hansa out of the picture, sellers and users will flock to other marketplaces to continue trading as before. This has been evident already, with former AlphaBay and Hansa users advertising on established forums such as Dream Market, TradeRoute, House of Lions and Wall Street Market, which we focused on in our previous blog.
Marketplace takedowns are not a new phenomenon. When Silk Road, once the largest and most popular dark web marketplace, was disrupted by the Federal Bureau of Investigation (FBI) in 2013, this only precipitated the growth of other, alternative platforms. AlphaBay grew from Silk Road’s closure and eventually took on the mantle of the most popular dark web market. Subsequent reincarnations of Silk Road in the form of Silk Road 2.0 and Silk Road 3.0 exemplify how the cycle will likely continue for the foreseeable future. We have seen alternatives emerge as a result of marketplace exit scams as well. In 2015, administrators from the Evolution Marketplace stole an estimated 40,000 BTC. Dream Market was once of the beneficiaries of that exit scam.
Just as Jeff Goldblum’s Jurassic Park character, Doctor Ian Malcolm says, “Life uh, finds a way,” cybercrime finds a way as well. Commerce must flow; buyers and sellers need to be connected.
2. AlphaBay and Hansa were only a part of a broader cybercrime ecosystem
Yes, AlphaBay and Hansa were two of the most popular English-language dark web marketplaces. And yes, they had dedicated sections for fraud-related goods (stolen payment card information, counterfeit documents, and compromised bank accounts), as well as malware and hacking tools (the RIG and Bleeding life exploit kits were previously advertised on AlphaBay). However, from an information security perspective, we should remember that most of the products advertised on these platforms were for drugs, weapons, and digital goods such as media accounts and service subscriptions.
Our research shows that there are other forums specifically dedicated to hacking and security, which often act as a platform for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as ransomware variants, exploit kits, compromised accounts and payment card data. These sites work on a direct transfer system where vendors and customers will communicate directly to arrange payment, often through messaging services such as Jabber. Often sellers will advertise their products on these forums, and then direct users to dark web sites to then arrange payment. Where stolen databases have appeared on sites like Hansa, we assessed it to be highly likely that these datasets were previously traded widely through other criminal networks and then listed on these marketplaces only once their value had been exhausted.
Figure 1: Advert on deep web forum HPC for FileFrozr ransomware
Payment card fraud is a good example of why we should not focus too heavily on marketplaces. There are countless carding and Automated Vending Cart (AVC) sites dedicated to payment card fraud. These types of sites often provide tutorials and courses for novice fraudsters, as we highlight in our recent whitepaper. With new carding and AVC sites emerging every day, this type of activity will continue unabated despite the AlphaBay and Hansa takedowns.
Figure 2: AVC site allowing users to buy stolen payment card data
3. Not all cybercrime occurs on the dark web
Many carding, AVC and hacking sites are not actually found on the dark web, including HPC, CrimeNet and Exploit, which we mentioned above. Moreover, certain types of cybercrime do not need the “anonymity” provided by services such as Tor, or the advertising and transactional functions fulfilled by the marketplace model. Plenty of cybercrime occurs on the open and deep web.
Extortion activity by the darkoverlord, a threat actor we have cited previously, illustrates this point. When the darkoverlord first came to our attention in June 2016, the actor relied heavily on dark web sites such as the Real Deal to advertise stolen datasets. Yet, since the closure of the Real Deal in November 2016, the darkoverlord has remained active and has made use of clear web sites such as Pastebin and Twitter to conduct extortion based activity. In June 2017, the darkoverlord released eight episodes of an un-aired American Broadcast company (ABC) show, posting a message to Pastebin that included a link to the torrent website The Pirate Bay. Three days later, the darkoverlord published over 6,000 medical records that allegedly belonged to a clinic in California. The documents were uploaded to the sharing site mega[.]nz after the clinic purportedly failed to respond to the ransom demands.
While the AlphaBay and Hansa takedowns will likely provide significant intelligence gains, there will always be supply and demand for illicit goods and services. Digital Shadows (now ReliaQuest) will continue monitoring the development of the cybercriminal ecosystem, particularly in these turbulent times. Marketplaces were never seen as the go-to shop for rare exploits or sensitive datasets, and we expect the more sophisticated sellers to continue using more niche forums or private communication channels to flog their wares. Moreover, with other forms of cybercrime occurring outside of the dark web, organizations and individuals would be wrong to assume that the risk of a cyber-attack has now been significantly reduced.