Dark web takedowns make good headlines, do little for security

Shutting down dark web marketplaces looks and feels good, but it hasn't significantly reduced risk. Worse, it drives cybercriminals to harder-to-track channels.

Closed markets in a dangerous neighborhood behind a police line caution tape barrier.
Peeter Viisimaa / Zager / Getty Images

Dark web markets are an inherently unstable place. Regular DDoS attacks from rivals, takedowns by law enforcement, plus a variety of scams means markets come and go at a rapid pace.

According to threat intelligence provider Recorded Future there are around 8,400 live Tor onion domains, and within that around 100 markets and forums in all. Since the 2013 takedown of Silk Road, a regular carousel of dark web marketplaces has sprung up and disappeared. In 2017, AlphaBay and Hansa were the top markets only to be taken down by law enforcement as part of a sting codenamed Operation Bayonet.

2019 has seen a raft of major closures. The markets that rose up to fill the gap left by AlphaBay and Hansa – Dream Market, Wall Street Market and Valhalla/Silkkitie – have all closed down in recent months.

Wall Street and Valhalla were taken down by law enforcement (Wall Street’s operators were reportedly trying to exit before they were caught) while Dream Market’s operators said it was closing down due to attackers using a flaw in Tor to repeatedly launch DDoS attacks against the site and demanding a ransom to stop. The “official” statement about its closure said the market would be “transferring its services to a partner company,” but as yet there hasn’t been any replacement partner.

Law enforcement also took down Deep Dot Web, a news site dedicated to dark web markets, after charging its owners with money laundering and receiving kickbacks from the markets they wrote about.

Despite these disruptions, the black market for illicit goods and services – including hacking tools, malware and information dumps – continue to exist. Nightmare, Empire and Darkmarket are just three of many markets listed on dark web market monitoring sites – and more will come and go.

“I think the overall impact of these types of takedowns is that you will see a vacuum created,” says Josh Lefkowitz, CEO of threat intelligence firm Flashpoint, “You have motivated entrepreneurs who feel that there's a void in the dark net marketplaces and see an opportunity to become the new biggest game in town.” Lefkowitz says.

“Does this [darkweb market shutdowns] have a material impact in terms of reducing risk to the enterprise? I would say no. If you're a kid who has been buying illegal narcotics, your life become more difficult, potentially.  If you wanted to buy a repackaged library of credentials, the impact on the cybercrime ecosystem is de minimis,” says Lefkowitz. “This cat and mouse game and various forms and fashions have been going on for years and years and years. You have highly motivated buyers, you have highly motivated sellers, you have a global marketplace overarching all of these different components.”

Markets on the move

While dark web marketplaces will continue to exist, many criminals moving "to perceived 'more secure' communication mechanisms and ecosystems, others [are] moving into, or continuing to move, into chat services.” Lefkowitz says. Last year a Digital Shadows report into cybercrime markets in the wake of the AlphaBay and Hansa closures found a growing trend of dark web sites inviting users to join groups on messaging apps such as WhatsApp rival Telegram or Discord, a channel-focused voice and text application originally designed for the gamer community.

In six months of monitoring, Digital Shadows observed over 5,000 Telegram links shared across criminal forums and dark web sites (1,667 were invite links to new groups), and 743 invites to Discord. One example mentioned in the report included a forum dedicated to the credential stuffing tool Sentry MBA, which had migrated to Discord.

Another report by Checkpoint claimed that Telegram has become “cyber crime’s channel of choice” and had observed a number of channels or groups dedicated to offering stolen documents, hacking tools, and soliciting for employers for insider attacks. “Telegram, discord, and other have dramatically increased in popularity, as well as the breadth of activity taking place in those environments,” says Lefkowitz. “It's much easier for anybody to simply stand up a new channel and group than if they were trying to do that on their own and get critical mass within the forum or marketplace ecosystem.”

He adds that along with the view that encrypted chat services are more secure than traditional dark and marketplaces and forums, the instantaneous near real time communication of such apps and the ability to share media is a draw to criminal actors. “We see so many fraudsters on Telegram reposting receipts from fraudulent transactions that they've participated in. We see insiders who are trying to find partners who are taking pictures in their corporate uniforms to validate who they purport to be.”

Sophos recently published research suggesting the actors behind the Anubis banking trojan were using Twitter and Telegram to fetch the address of its command-and-control server and serve instructions. These apps are also becoming a new way to dump information. Source code and operational information about the Iranian-linked APT group OilRig (also known as APT34 and Helix Kitten) was leaked via Telegram.

Even in China, activity has largely moved to QQ and WeChat group messages in an effort to avoid censorship and surveillance, according to Crowdstrike threat intelligence analyst Mitch Edwards.

Though this isn’t a new trend – a 2017 study by IntSights found a 30-fold increase in mobile-based dark web activity over the preceding 12 months, with the likes of Discord, Telegram and WhatsApp being used to “trade stolen credit cards, account credentials, malware, drugs and to share hacking methods and ideas,” –  the use of such communication methods seems to be increasing.

Visibility lost

Dr. Michael McGuire, Senior Lecturer in Criminology at the University of Surrey, calls these channels the “invisible net.” In his latest dark web report published with Bromium, 70% of the dark net “service providers” his researchers spoke to invited them to talk over or operated exclusively through private or encrypted messaging systems.

“A lot of the vendors wanted to talk through more secure channels,” McGuire tells CSO. “If our experience is anything to judge by, the dark net is almost becoming a bit of a front of a house shop where you perhaps make the initial connection, perhaps look in the shop window and get an idea of what's out there. Then you can start to really talk [via other means]. We were directed sometimes around three or four different communication channels.”

While the dark web has long been where threat actors conduct their business, it has also offered a visible window through which law enforcement and enterprises can keep track of what’s happening on the black market. “Law enforcement have got some real problems in how they deal with the dark web,” says McGuire. “They, like a lot of other people, get sucked into hype around it and they have to do something about it. I think it's actually quite a useful cybersecurity tool and they're slightly missing a trick, because [law enforcement] are still failing to see this shift in the nature of cybercrime from individualistic, sporadic, random action into a much more interconnected cybercrime economy. In any kind of economy you might take down elements of that economy, but you don't actually fundamentally disrupt the flow of goods and services.”

Dark web monitoring allows enterprises to keep track of what kinds of services and tools are being offered, whether threat actors are soliciting any kind of information or access around your company, or keep track if data involving your company, suppliers, or customers if being offered or dumped online. A number of startups now offer dark web scanning capabilities that allow for automated and scalable tracking of dark web markets, forums and dumps to Pastebin-like sites that don’t rely on individuals trawling such sites.

However, a greater number of actions being conducted on messaging apps means such automated tracking becomes more difficult and individuals gaining access to private groups more challenging. Law enforcement and enterprises lose that visibility into what’s going on. “It's not like it was two or three years ago,” says McGuire, “where the markets will reform itself pretty quickly. I think a shift towards more secure, more covert forms of communication is worrying for enterprises because you can still get the stuff you can get on the dark web market listings.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!