Dark Web Marketplaces Dissolve Post-AlphaBay, Hansa Takedown

Cybercrime marketplaces reshape into smaller forums and individual chats as threat actors find new ways to evade law enforcement.

Kelly Sheridan, Former Senior Editor, Dark Reading

June 5, 2018

5 Min Read

One year after Operation Bayonet took down AlphaBay in 2017, the marketplace model of cybercrime continues to decline -- but it's not a sign for security teams to sit back and relax. The risk to businesses and consumers is alive and well. It's simply taking a different form.

The operation that shuttered AlphaBay and Hansa led to multiple subsequent arrests, says Rafael Amado, strategy and research analyst at Digital Shadows. For a period of time after the takedown, many people didn't understand what was going on. When they did, they panicked.

"They thought it was an exit scam, or technical difficulties," he says. "There were all these different rumors flying about … it started to sow the seeds of mistrust, suspicion, cynicism."

AlphaBay's seizure meant thousands of vendors and buyers in the English-speaking cybercrime community had to look elsewhere to conduct their illicit business. The marketplace consisted of more than 40,000 vendors and generated more than $1 billion in trade, Digital Shadows reports in "Seize and Desist?," a new report examining cybercrime marketplaces post-AlphaBay.

"It cemented the issue of mistrust in the cybercriminal community … it made people really, really suspicious of established marketplaces, and new ones as well," he continues.

AlphaBay's demise left a gap, though it wasn't as large as experts expected -- the marketplace was just one player among many on the underground. However, other markets like Dream and Olympus failed to capitalize on the gap. Instead, cybercriminals found new and stealthier means of continuing their businesses while evading the watchful eye of law enforcement.

Find Me on the Forums

Cybercriminals, increasingly suspicious of marketplaces, began to retreat into older and specialized platforms to buy and sell. Peer-to-peer networks and chat channels have grown more popular, a trend that predates Operation Bayonet but has evolved in its wake.

Over the past six months, Digital Shadows researchers have observed more than 5,000 Telegram links shared across criminal forums and Dark Web sites. Of these, 1,667 were invitation links to join new groups. Discord, another private messaging app, is seeing greater adoption but to a lesser extent, with 743 invites shared within the same timeframe.

The centralized marketplace has dissolved into a decentralized model as wary threat actors err on the side of caution, opting for subtle transactions over markets that require plentiful resources to operate. New tech, processes, and peer-to-peer (P2P) communication give cybercriminals greater anonymity and make them even harder to pin down.

"Your account information and payment card details, along with counterfeit documents, ID scans, banking Trojans … those things are still being traded," Amado explains. "They're not being sold on marketplaces, they're being sold on forums."

Specialized forums cater to buyers and sellers in the market for specific purposes: credit card numbers, malware, hacking tools. Buyers post what they're looking for; sellers post what they have. They share Telegram, Discord, or Jabber info and slip into private messages. People generally want to directly communicate with the actors they're buying from, he adds. Forums serve as a complete log of conversation and are easier targets for law enforcement.

The future of Telegram as hackers' preferred tool is uncertain, Amado points out. It recently came to light that Apple has blocked updates since April, when Russia blocked Telegram and demanded its removal from the Apple App Store because it refused to provide decryption keys for users' communication with Russian security agencies.

"We'll see if Telegram will be forced to comply and if they are, you'll see people move away from Telegram as a communication method of choice," he expects.

Hackers Buckle Down on Forum Security

Forum administrators have been integrating processes to facilitate trust among their users. Blockchain DNS, user vetting, site access restrictions, and domain concealment supplement the use of P2P networks to build a sense of security.

Tralfamadore is an example of a decentralized market that uses blockchain to store databases and code to support front-end user interfaces. Transactions are done in cryptocurrency and are permanently recorded; this way, if one user attempts to scam another, it can be identified.

Cybercriminals using forums are wary of law enforcement posing as users. Some forums regulate activity with "forum lifecycles," which limit new users' access and set posting restrictions until they reach a certain level of activity. New users might require positive feedback from other members until these limitations are lifted.

Some forums require members to pay for premium subscriptions or have multiple referral invitations from established participants. Others create a hierarchy: the longer you're a member and more you prove your legitimacy, the more you're allowed to post.

Amado advises businesses to know what type of data they hold, how it could be monetized, and how an attacker might gain access to it, to prevent their information being trapped in the cybercrime web. With a better idea of how the cybercrime ecosystem is adapting, they can better monitor where stolen data might flow.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights