On 22 Sep 2020, a joint international operation resulted in 179 individuals’ arrest and the seizures of USD 6.5 million and 500 kilograms of illicit substances. The successful outcome of Operation DisrupTor (pause for appreciation of the operation name) elicited some strong words from the head of Europol’s European Cybercrime Centre (EC3). According to the EC3, “the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” followed by Europol claiming that “the golden age of the dark web marketplace is over.”
This discovery caused us to have a retrospective look at the history of dark web marketplaces, a trip down dark web memory lane if you will. How can one forget Silk Road and the “Dread Pirate Roberts”? Silk Road was one of the first dark web marketplaces to conduct sales using the once-strange concept of Bitcoin back in February 2011. It quickly gained notoriety and popularity, but popularity drew attention from criminals and law enforcement alike. In 2013, and because of action taken by the FBI, Silk Road was no more, and other dark web marketplaces took off in the wake of its demise. Dread Pirate Roberts, Silk Road’s founder, received a life sentence, which was likely meant to be a deterrent. Still, some reports claim that dark web activity and drug listings multiplied after the fall of Silk Road.
In a post-Silk Road dark web world, it was a matter of time before a new market took the reins; Silk Road 2.0 was created by some former Silk Road admins, but its tenure didn’t last – the FBI and UK’s National Crime Agency took it down via Operation Onymous. Enter Agora marketplace, which survived Operation Onymous and, in April 2015, surpassed the number of listings that Silk Road maintained at its height. Many dark web criminals were victims of exit scams during this time, where marketplace admins closed sites and took everyone’s funds. However, Agora remained a key contender for the dark web marketplace supremo until its disappearance in August 2015, which paved the way for the alpha of dark web marketplaces, AlphaBay.
AlphaBay took over a large portion of Agora’s customers and vendors and, by October 2015, held the dark web marketplace crown. That is until its downfall in July 2017, at the hands of Operation Bayonet, one of the most significant shakeups of the dark web marketplace landscape. The removal of AlphaBay and Hansa sent a clear message to the criminal underground; law enforcement agencies maintain a presence in these marketplaces – they even put this ominous splash page over AlphaBay and Hansa:
Following AlphaBay and Hansa’s fall, Dream Market reigned supreme for a while, alongside other notables such as Empire and Apollon. A more recent example of a marketplace that received the law enforcement treatment was Wall Street Market (WSM). WSM, at its peak, was booming with more than a million user accounts and 5,400 vendors. On 23 April 2019, rumours of an exit scam emerged as WSM admins claimed the site was going down for “maintenance.” As a part of that “maintenance,” the admins transferred customers’ funds to their accounts. Reports indicate WSM admins may have initiated an exit scam because of looming law enforcement activity. It’s also possible that reports of a potential exit scam caught law enforcement’s attention, and they wanted to catch the responsible parties before they got away and went into hiding. Regardless WSM ceased operations in May 2020.
Clearly there is a trend here. A dark web marketplace is created, a dark web marketplace becomes popular, a dark web marketplace is taken down, rinse and repeat. While Operation DisrupTor (again kudos to whoever is naming these things) was, in many ways, a successful operation and a landmark for law enforcement activity from a dark web marketplace perspective, the belief that the “Golden Era” of dark web market activity is over is a bit far-fetched. It would be naive to assume that cyber criminals are unaware of law enforcement representatives maintaining a presence in these forums and marketplaces. In turn, this presence doesn’t stop them from continuing to operate as the risk of being caught rarely outweighs the monetary reward they are achieving. The historical seizures of dark web marketplaces and marketplace exit scams have continually resulted in new marketplaces emerging.
WHAT DOES THIS MEAN FOR CYBERCRIMINALS?
More than likely, law enforcement takedowns will be a powerful reminder of the importance of operational security (OPSEC). OPSEC is not just reinforced in the security world, but criminals’ practice this just as much, if not more. The screenshot below illustrates the level of detail that threat actors place in their OPSEC practices:
As law enforcement agencies continue to grow in their capabilities and establish footholds within the criminal underground, criminals will continue to adapt and adjust their tactics to circumvent compromise. That’s just how it has always been, and after all, what would law enforcement agencies be without criminals?