The Deep Implications of Dark Web Takedowns

By Ian W. Gray

The dark web is known for volatility, but within the past month, several planned shutdowns, exit scams, law enforcement takedowns, extortion attempts, and distributed denial-of-service attacks may have potentially changed the methods and venues by which cybercriminals conduct illicit activity.

It is premature to accurately assess the long-term impact of prolonged dark web marketplace unavailability. It is likely threat actors will change their behavior in terms of the markets they visit, and the tools they use to access new markets. Since 2017, more sophisticated cybercriminal operations began using blockchain DNS to host web shops. Encrypted chat communication applications have also been growing in popularity, as they provide security by default and are more convenient than Tor or other alternatives. They can also work as a gateway for less sophisticated cybercriminals in countries with less developed internet infrastructure to buy, sell, or trade hacked accounts, and credit card information.

Law enforcement takedowns provide some insights into threat actor activity, including changes in tactics, techniques, and procedures over time. Following the major dark web takedowns of Silk Road (2013), and AlphaBay and Hansa (2017), cybercriminals began to introduce new technologies, such as privacy-focused cryptocurrencies such as Monero, or multi-signature wallets. While law enforcement has temporarily abated cybercrime on the dark web, it is unclear what new technologies or methods cybercriminals will use to recover their illicit online businesses, and in what format this new venue will appear.

New venues for cybercrime on the dark web often depend upon security and privacy, but also the availability of the market, and convenience. For example, after AlphaBay’s takedown, Dream Market became one of the most popular dark web marketplaces in terms of users and listings. Dream Market was online prior to AlphaBay, and was not favored by most threat actors until AlphaBay was taken down. The prevailing circumstances of the dark web made Dream Market appear a suitable substitute because of its availability, and listings.

Empire Market, which imitates many of the usability features of AlphaBay, has not yet acquired the user base or volume of AlphaBay despite offering a very similar user experience. On March 26, Dream Market announced it planned to shut down on April 30, and transfer its operations to a partner service with a new infrastructure in August. Its user base migrated to Wall Street Market, the second most popular marketplace, which promptly attempted an exit scam and was seized by an international law enforcement operation. In the absence of Dream or AlphaBay, Empire Market may now have the opportunity to raise to the scale of AlphaBay, if it can avoid eventual shutdown, or the competition of new market entrants.

Finding new marketplaces may be a little difficult for new customers intrigued by the reports of dark web takedowns. The dark web does not have any search engines that are comparable to Google, however several open source and .onion sites operated as gateways by serving links to the top markets in exchange for referral bonuses, profiting from the sale of illegal narcotics and digital goods.

On May 8, the Department of Justice announced that DeepDotWeb, a centralized information source for dark web activity, was taken down. One day later, a similar site called Dark Web News, went offline on its own volition. These takedowns and shutdowns crippled the infrastructure, and changed the way that cybercriminals interact with the dark web.

While law enforcement has been a principal factor in the changing landscape, cybercriminals have also contributed to this volatility. Over the past month, a user has been extorting marketplace admins, and exploiting a Tor vulnerability to serve distributed denial-of-service attacks. The extortionist has also taken down centralized dark web message boards that are used to share information about vendors, marketplaces, and best practices. The administrators, while fighting to maintain uptime, are feverishly sharing mirrors, which are sites that contain nearly identical information but are hosted on different URLs, to the existing marketplaces. These marketplaces, including Empire Market, are also struggling to maintain uptime in light of increasing DDoS attacks. These fluctuations beg the question: What will be the next top dark web marketplace?

The dark web continues to reel from the latest shocks, as several other sites related to infrastructure, markets, and shops shut down on their own volition, or are threatened by external forces. The dark web has previously been known for its elasticity by rapidly recovering from major takedowns and arrests with new markets, new customers, and newer technology. However, the current threats to the dark web ecosystem question its long-term viability for fraud.

As cybercriminals are continually prevented from dark web activity from internal and external forces, it becomes more likely that newer technology, such as encrypted chat applications, or blockchain DNS, may become suitable substitutes. While they currently lack the ability to provide secure payments or repudiation, the disappearance of the dark web markets may compel cybercriminals to attempt starting new venues or using new technologies—or get arrested trying.