Europol, in the recently released 2019 Internet Organized Crime Threat Assessment, covered some of the ongoing instability in the darkweb ecosystem as well as community response to some of law enforcement’s actions against marketplaces.
The report highlighted the evolution of online trade in the context of the recent takedowns of Wallstreet Market, Valhalla Maket, and DeepDotWeb. Law enforcement worldwide is aware of the disruption caused by some of the recent law enforcement operations, and “continued suspicion of law enforcement involvement.”
Below is a shortened version of the 2019 IOCTA’s section on “the criminal abuse of the dark web.”
The dark web remains the key online enabler for trade in an extensive range of criminal products and services and a priority threat for law enforcement.
Recent coordinated law enforcement activities, combined with extensive DDoS attacks, have generated distrust in the Tor environment. While there is evidence administrators are now exploring alternatives, it seems the user-friendliness, existing market variety and customer-base on Tor, makes a full migration to new platforms unlikely just yet.
There are increases in single-vendor shops and smaller fragmented markets on Tor, including those catering for specific languages. Some OCGs are also fragmenting their business over a range of online monikers and marketplaces, therefore presenting further challenges for law enforcement.
Encrypted communication applications enhance single-vendor trade on the dark web, helping direct users to services and enabling closed communications. Although there is no evidence of a full business migration, there is a risk the group functions could become increasingly used to support illicit trade.
Highlighted each year is the volatility of the dark web ecosystem. This continues to be the case, intensified by effective coordinated law enforcement activity in early 2019. Authorities undertook global action against vendors in February, and Dream Market, arguably the largest market at that time, shut down voluntarily, after this. This was supposedly in response to a prolonged and persistent DDoS attack as discussed earlier in section. Soon after law enforcement announced the shutdown of two of the remaining top dark web markets, Wall Street Market and Valhalla, followed by Bestmixer, the mixing and tumbling service hosted in part on the dark web.
Lastly, law enforcement shut down the online dark web information resource DeepDotWeb after its administrators received millions of euros in kickbacks for referrals to dark web marketplaces selling fentanyl, heroin and other illegal goods. The coordinated law enforcement efforts, together with continued DDoS attacks, have had a significant impact on the dark web in terms of generating distrust and, at the time of writing, the environment remains in a state of flux. The emergence of new multi-vendor top markets is apparent, however, as are increased exit scams, including some of those initially appearing to dominate. The apparent re-emergence of the Dream Market, which claims to have re-opened in July 2019 as Samsara Market has also taken place.
Dark web reports almost exclusively refer to use of the Tor platform, although there is evidence of criminality on most similar privacy-orientated software i.e., Tor, I2P, Zeronet, Freenet, Openbazaar, etc. In previous reports, the suggestion was the succession of law enforcement takedowns and other security issues would push the dark web sites and services to these other platforms. The Libertas Market did briefly switch to solely operating on I2P following the recent law enforcement activities, only to cease operating shortly after due to a low customer base. There are no other examples of this type of move, therefore, while the risk of alternatives remains, it seems the user-friendliness, existing market variety and customer-base on Tor, makes a full migration from customers or markets to new platforms unlikely just yet.
However, for this market growth has been slow due to continued suspicion over law enforcement involvement. Finally, some markets have changed their policies to prohibit the sale of fentanyl and weapons and explosives in an attempt to avoid law enforcement attention, albeit the sale of these commodities continues under different guises and on other sites.
Instead, criminals are exploring alternative means of circumventing law enforcement within the Tor environment. In last year’s report, the suggestion was the closure of larger marketplaces would result in a growth in the number of single-vendor shops and smaller fragmented markets. This forecast is indeed true with confirmed increases in single-vendor shops operating on independent .onion sites and smaller markets, including those catering for specific languages. However, not anticipated last year was the emergence of multi-identity business models, where OCGs maintain multiple profiles online, on multiple platforms, in order to operate as multiple distinct individuals rather than a single entity. By fragmenting their business over a range of online monikers on marketplaces and disparate vendor shops, it reduces the perception of the scale of the OCG, and keeps them under the radar of law enforcement, compared to the attention they might receive operating as a single multi-commodity vendor with a higher customer base. This creates further challenges for law enforcement, as in addition to the usual attribution issues associated with dark web investigations, investigators must also make these connections on order to determine the true scope and scale of an OCG.
In addition to circumventing law enforcement, criminal developers are also motivated by the need to increase trust with their customer-base on Tor, both in terms of anonymity but also by reducing the risk of exit scams. An example of such a market is Black Dog, scheduled for launch in August 2019. It claims to be the ‘first ever truly decentralized cryptomarket’ and depends on the Ethereum blockchain to facilitate transactions, without the need for a traditional marketplace GUI as found on Tor markets. The market also utilities the smart contracts component of the Ethereum blockchain to allow credible transactions without the need for a third party.
Separate to Darknet platforms, predicted last year was that some vendors might migrate their business to encrypted communications applications, running their shops within private channels/groups and even the encrypted messaging platforms evolving into functional marketplaces. Although there does appear to be an increased use of encrypted communications applications to enhance the single-vendor trade on the dark web, helping direct users to services and enabling closed communications, there does not appear to be a full business migration. There have been some instances where group functions have supported functional marketplaces with perpetrators selling different criminal commodities, much like the different sub-forums on a typical online forum.
However, these markets, although simple to set up (as the platform provides the infrastructure) and easy to revive if taken down, offer little in the way of security for their customers, i.e. there is no escrow or similar services. They can also be less technically challenging than a Tor-based site to take down, as they sometimes only require an abuse notification sent to the provider, who, if they respond to such requests (not always the case), can ban or delete the group. It is therefore unclear how and to what extent cybercriminals may adopt this market approach, and much of which depends on law enforcement relationships with industry partners in this sector and the ability to locate and effectively take them offline once identified.
The currency of the dark web enterprises remains virtual and an estimated USD 1 billion has been spent on the dark web this year alone. Bitcoin remains the most frequently used currency, believed to be a consequence of familiarity within the customer base. However, there has been a more pronounced shift towards more privacy-orientated currencies, a trend that it is anticipated will continue as criminal users become more security aware.
More coordinated investigation and prevention actions targeting the dark web as a whole are required, demonstrating the ability of law enforcement and deterring those who are using it for illicit activity. An improved real-time information position must be maintained to enable law enforcement efforts to tackle the dark web. The capability will enable the identification, categorization and analysis through advanced techniques including machine learning and artificial intelligence.
An EU-wide framework is required to enable judicial authorities to take the first steps to attribute a case to a country where no initial link is apparent due to anonymity issues, thereby preventing any country from assuming jurisdiction initiating an investigation. Improved coordination and standardization of undercover online investigations are required to de-conflict dark web investigations and address the disparity in capabilities across the EU
The full PDF is available at Europol’s website.