Over the past three weeks, Digital Shadows (now ReliaQuest) has observed another popular dark web criminal market – Nightmare – experience several irregularities. Vendors were having difficulty logging into accounts, the delisting of it from the popular dark web site, Dark Fail, and chatter on  dark web cybercriminal forums, including Dread, Torum and the Hub, all point to the possibility that Nightmare market’s time has come.

frozen vendor accounts nightmare market

Nightmare market: what went wrong?

English-language cybercriminal marketplaces remain under sustained pressure – both due to external factors and factors borne out of their position within the cybercriminal scene.

Nightmare seems to be at the epicenter. Last year, we observed Olympus market – predicted to be the next generation market – cease trading, soon followed by Rapture, another rising star.  In April 2019, Dream market announced it would be shutting down; shortly following this, the dark web marketplace, Wall Street Market, reportedly exit scammed. The demise of Nightmare closely mirrors the downfall of other dark web markets; namely whether by exit scam, internecine strife or law enforcement disruption the site is unlikely to recover. Digital Shadows (now ReliaQuest) has identified three key factors that likely influenced its probable departure:


1. Poor security

Nightmare Market has been embroiled in a drama for some time. Speculation of a Nightmare exit scam first stirred in April – May 2019. Then in July, the market reportedly suffered from a breach, leading to the exposure of vendor mnemonics and internal messages between staff. The breach was allegedly carried out by a former Nightmare insider who wanted to reveal that the site was going to ‘exit scam’. Nightmare admins quickly denied the claims, emphasizing that it wasn’t going to do such a thing. Without surprise, customer faith in the site didn’t recover.

A breach of such magnitude highlighted to cybercriminal vendors and customers alike that funds deposited we not funds secured; this was pivotal in undermining trust in this marketplace.

The above may have proven to the cybercriminal community that Nightmare was not a fit player when it comes to security – as poor measures are likely to scare cybercriminals away (they like to know their funds are accessible and safe).


2. Poor website: UX & performance

Nightmare market has a “terrible UX,” claimed one user back in April on the dark web discussion forum, The Hub. Another user remarked that it was “impossible” to message vendors or even report bugs. UX (user experience) and website performance, as we’ve argued previously, are critical components for a market to succeed. They need to be successfully built into the site – a key influencer in both loyalty and demand. By the maxim a happy customer is a loyal customer. Nightmare could do little to stem the migration to better platforms.

Figure 1 - Complaints about Nightmare dark web market

Figure 2 - complaints about nightmare dark web market

Figures 1 & 2: Complaints about Nightmare on the Hub discussion forum.


3. Trust: Nightmare loses accreditation

Ratings are important and the dark web is no different. Declining trust has caused the cyber criminal community to turn its back on Nightmare.

Dread  – a Reddit-style community with a big cult-like following – has labelled the site’s server status as “scamming”. Many Nightmare customers who spent time and added funds to the site are turning to Dread to voice their disappointment and warn others away: One urged others to “stay away” from Nightmare,  another recommended to “CLOSE YOUR ACCOUNTS ASAP”, whilst another was less sympathetic adopting the ‘I told you so’ attitude.


Nightmare market discredited on Dread

Figure 3: Nightmare market discredited on Dread


Topping this, Dark Fail – a site that allows users to check whether darknet sites are online – it first changed it to “scam” then removed “URLs” its listings entirely (see figure 3). Such a move confirms that even Dark Fail doesn’t trust Nightmare market.

Cybercriminal marketplaces: Is volatility hampering criminal activity?

Such volatility poses a headache (possibly even a migraine) for the English language cybercriminal underworld. New markets keep appearing, then they disappear – which is causing chaos. Such chaos is quickly becoming an increasing feature of the cybercriminal experience, though. But will these developments impact the way cybercriminals trade? Here’s what we assess:

  • Lack of Trust: Such volatility is instilling distrust within the community. Nightmare tells us the cybercriminal ecosystem has no time for ‘exit scams’ and inadequate markets – these vendors and marketplaces are quickly weeded out.
  • Cybercriminal intent remains: While English-language cybercriminal marketplaces have a seemingly declining longevity, criminal intent remains. Underground markets are the most accessible way to serve a broad audience – so we can expect new markets to pop up; however, they, like others, may tread a similar path to their forebearers.
  • Use of multiple platforms: As the marketplace becomes an increasingly toxic brand, we assess cybercriminals will utilize any available service to effect trades. However, while chat services, paste sites, and AVCS may pose a tantalizing alternative, the human impulse to trade in a market-like environment is likely to remain.

Digital Shadows (now ReliaQuest)’ Photon Research Team will continue to monitor these developments, as we do with the rest of the cybercriminal landscape operating online.


To read more updates like this, subscribe to our email list below.