Throughout 2022, Flashpoint observed the increased popularity of encrypted messaging apps (such as Telegram) as major illicit communities endured shutdowns and setbacks. While this “decentralized” trend will likely continue, some of Libre’s positive reception indicates that many dark web users still prefer “centralized” communities to share information, where all of the information is contained in one venue as opposed to being spread through various channels or sites.
In this blog, we examine the emergence of Libre, its promise as a centralized illicit community in the lineage of Dread, as well as its limitations—and what this means for dark web markets overall.
Centralized vs. decentralized
First, a note on what we mean by centralized vs. decentralized platforms. Though this could easily entail a blog series unto itself, in general, centralized communities refer to forums that operate as standalone platforms that involve subforums, moderation, posting history, and usually some kind of reputation or ranking system. Decentralized, rather, refers to both encrypted and unencrypted messaging platforms, where illicit activity is based around individual channels to organize, share information, and establish trust between threat actors.
Centralized forums have long played a role as communication channels for dark web vendors and customers. Prior to its takedown, AlphaBay’s forum was a crucial hub for reviewing vendors, managing disputes, and general information sharing. Following AlphaBay’s demise, dark web denizens flourished in various communities on Reddit, until the site purged many of them in 2018.
It was in this scene that Dread emerged as a life raft for dark web denizens displaced by Reddit’s crackdown. Dread was founded in 2018 by HugBunter, an underground penetration tester who gained admiration and ire for their security reports of various dark web markets. HugBunter has often described Dread’s mission to be a trusted neutral party. In the context of the Western dark web, this generally means reducing the chances of being ripped off by a vendor, losing your funds in an exit scam, or getting apprehended by law enforcement. To facilitate its focus on being a trusted third party, it launched “Recon,” a dark web search engine that consolidated vendor information and reviews across different markets.
Dread grew significantly since its launch in 2018, with numerous “subdreads” (the Dread equivalent of a subreddit) pertaining to specific dark web markets, cybercrime, and operational security. However, as a side effect of this growth, Dread became the target of frequent and sustained DDoS attacks. It is generally understood that these attacks were usually from extortionists exploiting vulnerabilities in the Tor network, or market operators attempting to sow confusion before exit scamming and stealing their clients’ funds. After suffering sustained downtime last year, in late November 2022 Dread went offline for server upgrades in the hopes of returning with more resilient infrastructure. Despite several updates from HugBunter (and requests for donations to pay for Dread’s upgrades), Dread has yet to return online as of this publishing.
Libre fills a vacuum
As a cornerstone of the Western drug market community for several years, Dread’s frequent downtime created an information vacuum for many of its users. In this space emerged Libre Forum, another Reddit clone that some now see as an alternative and possible replacement for Dread.
Libre was founded in December 2022. Its founders are experienced dark web operators, apparently consisting of the same crew behind the Incognito Market and Antinalysis, an “anti-anti money laundering” blockchain analyzer marketed to cybercriminals. Libre appears to still be in the early stages of development, as the administrators have dealt with infrastructure issues and mitigating bots.
Early Libre learnings: A mixed bag
Many Libre users so far have responded positively to the forum’s architecture and promise. Some users utilize the space to wonder whether or not Dread will return. Meanwhile, other users are interested in rebuilding some of the knowledge and community built up over the years on Dread. Some Libre users also expressed relief that there is an alternative community again to discuss dark web matters while hoping that Dread will return.
Perhaps nothing else better exhibits the demand for a reliable, centralized communities than a January 21 update from an exhausted and frustrated HugBunter, amid frequent cries regarding when Dread would finally return:
Libre’s uphill battle
The lineage of AlphaBay, Reddit, Dread and now to Libre provides a window into how threat actors organize and their continued appetite for vetted, reliable platforms to share information and conduct business. Despite filling much of the same functionality, each of these past cybercriminal communities have faced challenges unique to their operating environments.
Libre is hardly a total replacement for Dread—a forum that has been a key player in the dark web ecosystem since 2018. Libre’s long-term success will depend in part on whether Dread successfully returns and, if so, in what capacity. Dread’s wealth of stored knowledge likely means that should it return, it will likely still have a role despite potential competition from Libre.
Another challenge Libre faces is its association with Incognito Market, which could limit its ability to bill itself as an impartial party. This is in contrast with notionally neutral Dread, which is not publicly affiliated with any single market. In addition, if Libre continues to grow, it could also be targeted by DDoS attacks in a similar fashion to Dread.
This all said, threat actor chatter suggests that an alternative to Dread—its reliability, functionality, and centralization—has long been desired. This would suggest that even if Dread returns, threat actors may continue to seek other centralized communities to navigate the dark web, avoid scammers and exit scams, evade law enforcement, and continue their illicit dealings.
Keep a close eye on illicit communities with Flashpoint
Flashpoint cyber threat intelligence tools provide teams with access to illicit online communities including closed sources across forums, the open web and chat services platforms, as well as indicators of compromise (IOCs), and technical data as analyzed by Flashpoint intelligence analysts. Sign up for a free trial today.