While some big marketplaces have retired, new players are vying for dominance, experts say.
Eleven years after Ross "Dread Pirate Roberts" Ulbricht launched his groundbreaking online dark web marketplace, Silk Road, a new generation of underground marketplaces continues to sell illegal substances, malware, guns and more online, often through dark web sites.
However, dark web marketplace administrators, buyers and sellers continue to face many challenges, including the risk of arrest. But while individual dark web marketplaces come and go, the business model appears to not only continue to exist, but to thrive.
Explaining the reasons for the continued existence of dark web marketplaces, researchers at threat intelligence firm Digital Shadows said, "There are two main reasons here: the lack of alternatives and the ease of use of the marketplace."
Victoria Kivilevich, a threat intelligence analyst at Israeli cybersecurity firm Kela, said dark web marketplaces are websites, often accessible only through the anonymous Tor browser, that offer "a variety of goods, products and services provided by and to cybercriminals. . But she said it's important to distinguish between two main types: drug-centric marketplaces and those that offer "web-related things like logins, databases, malware, etc."
Online alternatives exist for both. Potential dark web marketplace buyers and sellers can always try to move their business elsewhere - for example, using encrypted messaging applications. But for many, what the marketplaces offer seems to continue to outweigh the disadvantages of using them. The benefits include marketplaces as a centralized location for buyers and sellers to connect, ratings of sellers and items that help guide buyers and remove scammers, marketplaces that provide escrow funds until orders are fulfilled, and dispute resolution services for disputed disputes.
One of the longest-running and most popular dark web marketplaces remains Hydra in Russian, which does not welcome non-Russian speakers or anyone not in or around Russia.
Turnover continues to grow
However, many other geographically-free dark web marketplaces continue to come and go for reasons that may vary, as blockchain analytics firm Elliptic highlights in its research report, "Why the Multi-Billion Dollar Dark Web Marketplace is Retiring."
In the past 12 months, several large marketplaces have exited, often by choice after years of operation. They include.
Credit card marketplace Joker's Stash - 2014 to January 2021.
White House, a general merchandise marketplace - February 2019 to October 2021
Cannazon, a cannabis-focused marketplace - March 2018 to November 2021
Generic goods and drugs market Torrez - April 2020 to December 2021
UniCC, a credit card marketplace - from 2013 to January 2022
UniCC affiliate site Luxsocks - May 2014 to January 2022.
But numerous other dark web marketplaces, both old and new, still exist, including Bohemia, MGM Grand, Tor2door, World Market, and the relaunched AlphaBay.
Why Dark Web Marketplaces Will Disappear
Elliptic identifies five reasons why dark web market managers typically exit the history books.
Wealth freedom: they have made a lot of money and can retire.
Risk Awareness: the perceived risk of arrest is too great.
Ransom attacks: Marketplace operators are often hit by cybercriminals, including through distributed denial-of-service attacks, unless they pay the equivalent of an online protection fee, also known as a ransom.
Personal reasons: Administrators sometimes cite changes in circumstances, such as their physical health.
Police arrests: Administrators can and do get identified and arrested, and their marketplaces can be taken over or disrupted.
Another reason why dark web marketplaces go dark is the "exit scam". Again, many active marketplaces offer escrow systems to ensure that buyers and sellers are protected from fraud until their orders are fulfilled. But because dark web marketplaces sometimes host millions of dollars worth of cryptocurrencies, many administrators choose to abandon their sites and dump all bitcoin, Monroe and other digital currencies.
However, Elliptic notes that for at least the past six months, exit scams seem to be less common than they once were, for whatever reason.
"We're not young."
Some markets seem likely to disappear for more than one reason. Last month, after Joker's Stash announced the retirement of UniCC, then the world's largest marketplace for stolen payment card data, the anonymous administrator of UniCC announced his retirement in a forum post. "We are not young and our health does not allow us to work like this anymore." It read.
By all accounts, the site has been very successful. "UniCC has been active since 2013, during which time it received a total of $358 million in cryptocurrency payments involving bitcoin, litecoin, ethereum and dashcoin." Elliptic said in a report at the time. "Tens of thousands of new cards are listed for sale on the market every day, and it is known for having many different providers - fierce competition keeps prices relatively low."
University of Montreal criminologist David DeCarry-Hetto told the BBC that closing in this orderly fashion is known as "sunsetting" or "voluntary retirement.
He said, "It seems to be happening a lot more now, where the dark web trading markets gracefully exit and say 'we've made enough money that we're going to retire and go into sunset before we get caught.'" This is thanks to larger marketplaces, such as Torrez, which earn their admins $100,000 a day - and more - through commissions earned per transaction.
The Dark Web Market: A Healthy Outlook
But with at least six major marketplaces ceasing operations in the past year, does this mean that the dark web market itself is on the decline?
Kela's Kivilevich says of the web-focused dark web market, "We believe that the last two years have not fundamentally changed the market landscape, with several large marketplaces closing, UniCC being the last example; however, new marketplaces continue to emerge."
The exit of one market is still an opportunity for another, says Kivilevich: "When a market closes, its users are actively looking for alternatives, while competitors are promoting themselves, eager to fill a void. For example, when Joker's Stash exited, UniCC made a bid for its customers and subsequently seemed to reap substantial profits."
In general, Kivilevich says the development continues in the direction of what is known in the dark web community as "auto stores," referring to sites that sell goods and services in a highly automated manner. "servitization," which is "designed to help the cybercrime business grow massively."
More sites are being created in this way, and "we expect this trend to continue," she adds.
One example is the log market, which sells batches of information - such as payment card data, cryptocurrency wallet credentials and passwords saved in browsers - in separate units, each called a "bot ". At the top end of the market is Genesis, followed by Russia Market, and another site called 2easy, which only recently debuted. All of these aim to make buying and selling easy in a highly automated way (bots).
Russia Arrests Accused UniCC Administrator
But that doesn't mean that early retirement is a foolproof solution for dark web marketplace operators.
For example, despite the UniCC administrator's retirement on health grounds, Russian news agency TASS first reported on January 22 that shortly after the post, the Russian Federal Security Service (FSB) arrested Andrey Sergeevich Novak, the marketplace's alleged administrator, and placed under house arrest three alleged co-conspirators in the crime of hacking.
Around the same time, a marketplace affiliated with UniCC called Luxsocks also went offline, and its website is now parsed as an apparent removal alert notice issued by the Russian Interior Ministry, Elliptic reported.
Whether the alleged administrators of UniCC were aware of FSB's interest in their activities before the site announced its exit - and whether they may have also been involved in Luxsocks - is unclear. But TASS reports that all four suspects face two charges under Russian criminal law: "illegal acquisition of computer information" (Article 272) and "illegal circulation of means of payment" (Article 187).
Novak is also wanted by U.S. authorities and is being prosecuted for allegedly being the founder of Infraud, a financial-focused cybercrime group that was dismantled in 2018 and which prosecutors have linked to $530 million in losses. However, Russia never extradites its citizens.
The accelerated pace of cybercrime disruption
The news of the four suspects' arrests comes a week after the Russian Federal Security Service arrested 14 people suspected of involvement in the REvil (aka Sodinokibi) ransomware operation.
Whether more arrests of suspected cybercriminals, including dark web marketplace operators, will follow remains to be seen. But the risk of arrest remains real for all involved, and sometimes months or even years down the road.
Law enforcement agencies can patiently gather intelligence on all those involved, allowing them to eventually unmask people like Silk Road's Ulbrich, who was arrested by the FBI at a San Francisco library in 2013. AlphaBay then became the world's leading dark web marketplace after its launch in December 2014. But it too was shut down by the FBI in July 2017, coinciding with the arrest of the Canadian citizen who ran the site in Thailand.
Information gathered from the dismantling of the dark web marketplace provided the basis for further investigations. This week, Slava Dmitriev, a Canadian national, was sentenced to three years in prison. Dmitriev pleaded guilty last year in a U.S. court to trading stolen personal information and interacting with The Dark Overlord hacking and extortion group. Prosecutors allege Dmitriev netted at least $100,000 by trading stolen identity information, including Social Security numbers, through AlphaBay.
Dmitriev was arrested in September 2020 while traveling in Greece and was extradited to the United States in January 2021. The U.S. Department of Justice said the charges against him include activity from at least May 2016 through July 2017.
This demonstrates the risk that dark web marketplaces pose to all involved. While they may facilitate the online buying and selling of illegal goods in the short term, with administrators earning lucrative commissions, is operating or using them worth the long-term risk?
So far, the steady influx of new players and the variety of sites on offer suggests that some people are still willing to take the risk. "Dark Web marketplaces are still very lucrative industries, if anything, and the retirement of these people can give operators confidence that they can run a successful marketplace and make their fortune - without getting arrested." Elliptic said.