We are increasingly used to the tactic of extorting a company through the threat actor publicly releasing data. The recent HBO extortion attempt is a prime example, and actors like thedarkoverlord have also used this approach to a large extent. Digital Shadows (now ReliaQuest) has tracked well over 20 of darkoverlord extortion attempts since June 2016. The process is straight forward enough; acquire a company’s valuable data, threaten to release the data if a ransom is not paid, and then put pressure on the victim through sharing the data with journalists. But cybercriminals also face this risk themselves. In this case, a criminal marketplace is the victim of an extortion attempt. Is there any trust left in criminal marketplaces?

Extorters going to extort 1 

Fig 1 – An advertisement for basetools on another criminal forum


On October 24th, a user posted on Pastebin claiming to have accessed customer details and administrator accounts of Basetools, an online criminal marketplace. The user also claimed to have obtained personal details of the administrator and demanded $50,000 in ransom, or he would release further information and the dox of the administrator. The post threatened to inform law enforcement should the payment not be made. At the time of writing, the Basetools market was “under update ” and claimed it would be back in “a few days”.

Extorters going to extort 2 

Fig 2 – The message received when accessing Basetools on 25 October 2017


Basetools is a criminal marketplace that is often advertised within Russian-speaking criminal forums and marketplaces. The site allows vendors and buyers to trade credit card information, customer accounts, and spamming tools. The site claims to offer over 150,000 accounts, 20,000 tools and 24/7 support.

 Extorters going to extort 3

Fig 3 – A screenshot provided by the extortionist, claiming to show access to the admin support panel

 One motivation behind the threat is clearly financial, but that does not tell the entire story. The actor claims that the administrator of the site has been manipulating the vendors, creating false personas and falsely elevating those vendor profiles to the top of listings.


What’s the Impact?

For many years, the criminal marketplace – whether that is on the dark or deep web – has been the preserve of cybercriminals, allowing them to easily advertise and sell their illicit goods. However, this has experienced a significant shift in the past 4 months with the demise of AlphaBay and Hansa marketplaces.

We have previously forecasted the potential shift from centralized marketplaces to more decentralized models and the conditions that would have to exist for this to become a reality. The attempted extortion of Basetools, and in particular the allegations of a admin manipulating vendor ratings is yet another reason for cybercriminals to reconsider the idea of a centralized market. In a decentralized model, the risk of this occurring would be reduced.

While the conditions for a decentralized model taking the lead may not yet be there, this may take us one step further. In future posts, we’ll be looking at the recent adoption of the decentralized model and the implications of it.