Era of the eBay-Like Underground Markets Is EndingReport: Cybercriminals Moving to Secure Chat Platforms, Conventional Forums
It probably wasn't a good idea anyway: Creating an underground online market with all the features of eBay, but offering a smorgasbord of fake IDs, drugs, malware and stolen credit card numbers.
The most famous market, Silk Road, was shuttered in 2013 after an off-duty IRS agent discovered an email address that led to its lead developer, Ross Ulbricht. Last year, AlphaBay was seized after a similar mistake by one of its developers, and Hansa fell after law enforcement manage to infiltrate the site (see Police Seize World's Two Largest Darknet Marketplaces).
Other underground markets, such as Dream Market and Olympus, are still around. But neither match the popularity of AlphaBay, says Digital Shadows, a threat intelligence company that studies cybercrime.
The company issued a new report earlier this week that notes that cybercriminal activity certainly isn't declining, but the era of the underground market may be passing. Instead, cybercriminals are doing deals using encrypted chat platforms.
"The primary channels are Telegram, Discord, Skype, Jabber, and IRC," the report says. "With buyers and sellers spread widely across an increasingly decentralized community, the belief is that it will be more difficult for law enforcement."
Indeed, law enforcement agencies in the U.S., U.K., and Australia have warned that the increasing use of encryption, especially over chat services, is posing difficulties for crime investigators. While some experts contest the claims, law enforcement is pushing for legislation to put greater pressure on the technology industry to assist decryption efforts (see Australia Plans to Force Tech Companies to Decrypt Content).
A variety of factors are contributing to the decline of underground marketplaces, Digital Shadows says.
Markets such as the Silk Road and others were "hidden" websites, which used the Tor anonymity system to mask the sites' real IP addresses. But setting up the sites and maintaining them poses risks. No one person can do it all alone. It's also not cheap, Digital Shadows says.
Administrators must pay for staff, bulletproof hosting, DDoS protection and sometimes bug bounty programs. The dependence on other players and services also creates more touch points for law enforcement investigators to tap.
Plus, buyers are becoming increasingly skittish, afraid of being duped into ordering from a site that been co-opted by the law. Then there's also fear of losing money to scammers on an underground site, a somewhat ironic risk.
"Conducting online transactions on underground marketplaces has always entailed a high degree of risk," Digital Shadows says. "Site owners often perform exit scams and steal funds from customers, sellers sometimes renege on their promises and the threat of law enforcement always looms large."
The danger of running and transacting with underground marketplaces has driven some back to conventional forums, such as Exploit[dot]in, with deals made directly between buyers and sellers over encrypted chat.
Those forums have also sought to increase their security and privacy protections, including use of blockchain-based DNS, Digital Shadows says.
Blockchains are distributed, peer-to-peer ledgers that record transactions for virtual currencies, such as bitcoin. Blockchains are relatively tamper proof and can be used to store any type data, not just transaction data.
The top-level domains for websites using blockchain DNS systems sit outside the normal DNS, so a plugin or a proxy service has to be used to successfully resolve a domain.
But once domain registration information has been lodged into a blockchain, the domains are resistant to DNS-related censorship and hijacking. That has already made DNS blockchains appealing to malware writers, FireEye wrote in April.
Digital Shadows says the Joker's Stash site, a well-known carding site, is using .bazar TLD, which is an Emercoin TLD, in addition to a .onion domain.
"As blockchain domains do not have a central authority, and registrations contain a unique encrypted hash of each user rather than an individual's name or address, it is much harder for law enforcement to take down criminal sites," the report says.