Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:36 PM
Connect Directly

Dark Web Marketplaces Dissolve Post-AlphaBay, Hansa Takedown

Cybercrime marketplaces reshape into smaller forums and individual chats as threat actors find new ways to evade law enforcement.

One year after Operation Bayonet took down AlphaBay in 2017, the marketplace model of cybercrime continues to decline -- but it's not a sign for security teams to sit back and relax. The risk to businesses and consumers is alive and well. It's simply taking a different form.

The operation that shuttered AlphaBay and Hansa led to multiple subsequent arrests, says Rafael Amado, strategy and research analyst at Digital Shadows. For a period of time after the takedown, many people didn't understand what was going on. When they did, they panicked.

"They thought it was an exit scam, or technical difficulties," he says. "There were all these different rumors flying about … it started to sow the seeds of mistrust, suspicion, cynicism."

AlphaBay's seizure meant thousands of vendors and buyers in the English-speaking cybercrime community had to look elsewhere to conduct their illicit business. The marketplace consisted of more than 40,000 vendors and generated more than $1 billion in trade, Digital Shadows reports in "Seize and Desist?," a new report examining cybercrime marketplaces post-AlphaBay.

"It cemented the issue of mistrust in the cybercriminal community … it made people really, really suspicious of established marketplaces, and new ones as well," he continues.

AlphaBay's demise left a gap, though it wasn't as large as experts expected -- the marketplace was just one player among many on the underground. However, other markets like Dream and Olympus failed to capitalize on the gap. Instead, cybercriminals found new and stealthier means of continuing their businesses while evading the watchful eye of law enforcement.

Find Me on the Forums

Cybercriminals, increasingly suspicious of marketplaces, began to retreat into older and specialized platforms to buy and sell. Peer-to-peer networks and chat channels have grown more popular, a trend that predates Operation Bayonet but has evolved in its wake.

Over the past six months, Digital Shadows researchers have observed more than 5,000 Telegram links shared across criminal forums and Dark Web sites. Of these, 1,667 were invitation links to join new groups. Discord, another private messaging app, is seeing greater adoption but to a lesser extent, with 743 invites shared within the same timeframe.

The centralized marketplace has dissolved into a decentralized model as wary threat actors err on the side of caution, opting for subtle transactions over markets that require plentiful resources to operate. New tech, processes, and peer-to-peer (P2P) communication give cybercriminals greater anonymity and make them even harder to pin down.

"Your account information and payment card details, along with counterfeit documents, ID scans, banking Trojans … those things are still being traded," Amado explains. "They're not being sold on marketplaces, they're being sold on forums."

Specialized forums cater to buyers and sellers in the market for specific purposes: credit card numbers, malware, hacking tools. Buyers post what they're looking for; sellers post what they have. They share Telegram, Discord, or Jabber info and slip into private messages. People generally want to directly communicate with the actors they're buying from, he adds. Forums serve as a complete log of conversation and are easier targets for law enforcement.

The future of Telegram as hackers' preferred tool is uncertain, Amado points out. It recently came to light that Apple has blocked updates since April, when Russia blocked Telegram and demanded its removal from the Apple App Store because it refused to provide decryption keys for users' communication with Russian security agencies.

"We'll see if Telegram will be forced to comply and if they are, you'll see people move away from Telegram as a communication method of choice," he expects.

Hackers Buckle Down on Forum Security

Forum administrators have been integrating processes to facilitate trust among their users. Blockchain DNS, user vetting, site access restrictions, and domain concealment supplement the use of P2P networks to build a sense of security.

Tralfamadore is an example of a decentralized market that uses blockchain to store databases and code to support front-end user interfaces. Transactions are done in cryptocurrency and are permanently recorded; this way, if one user attempts to scam another, it can be identified.

Cybercriminals using forums are wary of law enforcement posing as users. Some forums regulate activity with "forum lifecycles," which limit new users' access and set posting restrictions until they reach a certain level of activity. New users might require positive feedback from other members until these limitations are lifted.

Some forums require members to pay for premium subscriptions or have multiple referral invitations from established participants. Others create a hierarchy: the longer you're a member and more you prove your legitimacy, the more you're allowed to post.

Amado advises businesses to know what type of data they hold, how it could be monetized, and how an attacker might gain access to it, to prevent their information being trapped in the cybercrime web. With a better idea of how the cybercrime ecosystem is adapting, they can better monitor where stolen data might flow.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.