Lately, dark web actors have one more worry: getting caught by law enforcement. Tracking dark web illegal activities has been a cat-and-mouse game for authorities, but in the end, they often catch their adversaries and seize the dodgy money. On the night of the 2020 presidential election, for example, US government officials managed to empty out a $1 billion Bitcoin wallet recovering funds linked to Silk Road, seven years after the market\u2019s closure. Silk Road was a popular underground marketplace dealing in illegal goods and services such as narcotics, hacking for hire, and contract killing.Related reading:What is the dark web? How to access it and what you'll find10 things you should know about dark web websitesIs your data being sold on the dark web?Dark web takedowns make good headlines, do little for securityScan the dark web for threat intelligenceCybercriminal group closure and exit scamsEvents like these have compelled cybercriminals to plot new strategies, which sometimes involves closing shop and cashing out before they get on the feds\u2019 radar. In October 2020, the Maze ransomware group, which has breached hundreds of companies including Xerox, LG, and Canon, shut itself down over a six-week period stating they had retired their activities. However, experts have suggested this is likely a fa\u00e7ade. Ransomware operators often shut one operation down to join another rather than exit the business completely.\u00a0\u201cIn recent years, the dark net has dramatically changed, quite organically, due to increased organized criminal organizations\u2019 use of anonymous forums and marketplaces, the increased presence of young YouTube inspired 'criminal wannabes,' and naturally, the subsequent increased presence of law enforcement and their attempts to infiltrate, de-anonymize, and take down such groups and hidden services,\u201d says Mark Turnage, CEO of DarkOwl, a dark web search engine.Dark web becoming a recruiting channelAccording to Turnage, the dark web has evolved into an intermediary ground where cybercriminals minimally interact to poach new members for their group. They then move communications to private, encrypted channels such as Telegram, Jabber, and WickR. \u201cMalware developers and financial fraud [criminals] rely less on dark net marketplaces for distributing their exploits and instead levy black hat forums across the deep web and darknet to establish their brand, develop clout across the community, and recruit new members,\u201d says Turnage. \u201cMany criminal organizations use the dark net merely to vet potential affiliates, particularly in the ransomware-as-a-service industry, and their [co-conspirators].\u201dTurnage says that DarkOwl has seen more technically savvy criminals increase their use of alternative decentralized dark nets and meshnets such as Lokinet and Yggdrasil. He attributes this to the short lifespan of dark net marketplaces and services across Tor and server seizures by globally coordinated law enforcement agencies.Moving marketplaces from Tor nodes to private messaging services may also come with technical advantages, such as distributed denial of service (DDoS) protections. These technical safeguards may lure dark web admins as underground marketplaces like Empire have been forced to shut themselves down following DDoS attacks by other cybercriminals in rather ironic extortion attempts. Empire\u2019s abrupt exit has also rendered its so-called \u201cescrow\u201d guarantee void, prompting some patrons to label the closure an \u201cexit scam.\u201dBy switching patrons over to legitimate end-to-end encrypted messaging services, cybercriminals leverage the reliable distributed infrastructure of these platforms while remaining discreet and avoiding the scrutiny of law enforcement. Granted, messaging platforms like Telegram may not be entirely immune from DDoS attacks, protecting against such attacks then becomes the responsibility of platform owners rather than dark web ops.Leveraging underground chatter for intel gatheringAccording to Raveed Laeb, product manager at KELA, the dark web of today represents a wide variety of goods and services. Although traditionally concentrated in forums, dark web communications and transactions have moved to different mediums including IM platforms, automated shops, and closed communities. Threat actors are sharing covert intelligence on compromised networks, stolen data, leaked databases and other monetizable cybercrime products through these mediums.\u201cThe market shifts are focused on automation and servitization [subscription models], aimed at aiding the cybercrime business to grow at scale,\u201d says Laeb. \u201cAs can be witnessed by the exponential rise of ransomware attacks leveraging the underground financial ecosystem, the cybercriminal-to-cybercriminal markets allow actors to seamlessly create a supply chain that supports decentralized and effective cybercrime intrusions\u2014giving attackers an inherent edge.\u201dOn the bright side, security professionals and threat analysts can tap into this intel to identify and patch system weaknesses before threat actors can exploit them. \u201cDefenders can exploit these robust and dynamic ecosystems by gaining visibility into the inner workings of the underground ecosystem\u2014allowing them to trace the same vulnerabilities, exposures, and compromises that would be leveraged by threat actors and remediate them before they get exploited,\u201d says Laeb.This can be done by monitoring forums and darknet sites where threat actors are most likely to lurk, discuss upcoming threats, and put exploits up for sale. A hacker recently posted exploits for over 49,000 vulnerable Fortinet VPNs on a forum, for example, some of which belonged to prominent telecoms, banks and government organizations. This was followed by a second forum post in which another threat actor exposed plaintext credentials for all the VPN devices for any adversary to exploit. Although the vulnerability in question is a two-year-old path-traversal bug, likely not on anyone\u2019s radar anymore, thousands of corporate VPNs present on the list remained vulnerable to this critical issue.Tapping into such forums and monitoring for such intel can give heads up to security teams at organizations to do their due diligence in where adversaries may be headed next. \u00a0Tracking illicit activity disguised under legitimate programsAdvanced persistent threat (APT) groups are now using the dark web to gather knowledge of their targets and then use legitimate network protocols and programs for covert data exfiltration purposes. \u201cIn the past, organizations tended to only be concerned about their own data appearing on the dark web, and even then, it would only ring alarm bells if significant data were located. However, many of the Chinese and Russian nation-state backed advanced persistent threat groups are now using the dark net to perform reconnaissance of potential targets, and then provide a cover for exfiltrating data,\u201d says Vince Warrington, CEO at Dark Intelligence.\u201cSince the start of 2020, the use of SSH by these APT groups has increased by over 200%. Our research indicated that APT groups are using SSH via port 22 to infiltrate organizations unnoticed and, once inside, are using poorly monitored and maintained systems\u2014especially industrial control systems\u2014to steal significant amounts of data. Several recent attacks are alleged to have stolen over 1 terabyte of data from individual businesses, a huge amount that organizations are failing to spot because they are unable to monitor effectively for dark net connections,\u201d says Warrington.This point has been substantiated by the discovery last month of the massive SolarWinds supply chain attack attributed to the Russian espionage group APT29, a.k.a. Cozy Bear. By exploiting trust within a legitimate program like SolarWinds Orion and its secure update channels (or protocols), sophisticated attackers managed to silently breach over 18,000 of the 300,000 SolarWinds customers and remained undetected for months. Their sinister activities conducted as a part of this attack could have involved covert surveillance and data exfiltration leaving no obvious trace.This is different from cases where threat actors make noise on public or dark web forums when leaking data dumps. So, monitoring the dark web alone for signs of data exfiltration isn\u2019t enough.Threat analysts and security researchers are therefore encouraged to reevaluate their monitoring strategies. Rather than focusing solely on detecting anomalies within corporate networks, such as foreign IPs and odd port numbers, or waiting for proprietary data to appear on the dark web, it is worth monitoring trustworthy programs and services, including their security updates, and your organization\u2019s software supply chains where threat actors could be hiding unnoticed.