Global Cybercrime Market Revenue Surged to $1.7 Billion in 2020, Chainalysis reports. Underground markets continue to thrive despite being regularly targeted by international law enforcement agencies and site administrators often steal buyers' and sellers' cryptocurrency via "exit scams" and users get ripped off.
Darknet markets persist because users are willing to risk losing funds, risk arrest and will keep their loses quiet if scammed. Yet, for anyone who wants to buy or sell ‘illegal’ goods or services online, what other options - other than keeping quiet - do they have? As they say, there is no honor among thieves. Alternative user tactics include cybercrime forums, but the best ones tend to be restricted to users in Russia and neighboring countries. Other options are to use legitimate, encrypted messaging apps, such as Telegram, Discord, Jabber and Wickr. Criminals often distrust tools not built by and for criminals.
Buyers and sellers still need to find ways to first connect, and that is a benefit readily provided by darknet or dark web markets (. onion) websites that can only be reached by using the anonymizing Tor browser. Many darknet markets also offer the ability for buyers and sellers to rate each other. Some offer escrow services so that funds will not flow until transactions have been confirmed. Some cyber actors offer more personal service, for example, by helping to facilitate the delivery of products, such as illicit drugs.
As in free enterprise, the markets live on, led by Hydra, the world's largest darknet market, which serves only Russian speakers and accounted for 75% of global darknet market revenue in 2020. The company has issued a report tracing how cryptocurrency flowed to and from such markets last year.
Overall darknet market revenues were flat from 2019 to 2020, except for Hydra, Chainalysis says. Hydra handled more than $1.2 billion in cryptocurrency in 2020. "This is the biggest year on record for darknet marketplaces,” Kim Grauer, head of research at Chainalysis, stated. "Hydra is really the crux of this." Russian investigative news site Project in 2019 reported that Hydra had 2.5 million accounts, of which 393,000 or about 15% of account holders had made at least one purchase.
Hydra's membership is several orders of magnitude larger than rivals, such as DarkMarket, which had more than 500,000 users until it was disrupted in January 2021 hby an international cooperation police operation. Prior to that, one of the dominant players was Empire Market, with 1.3 million users. One or more of its administrators shut down the site last summer, leaving, via an exit scam, with a fortune of bitcoins and other digital currencies the site was holding in escrow.
In April 2019, Wall Street Market, another major player, with 1.15 million users suffered death by exit scam, with administrators departing with an estimated $13 million worth of users' bitcoins. Who can you trust in any criminal empire?
What are users buying via darknet markets? Based on total revenue, in 2020, "fraud shops" selling stolen payment card data, hacking tools and counterfeit payment cards had more revenue than markets that sold illicit drugs, per the Chainalysis report.
Darknet buyers and sellers are global. Chainalysis says the top countries, as measured by cryptocurrency transaction volumes last year, were Russia due the success of Hydra followed by the U.S., Ukraine, China and Britain.
Drugs do remain a popular darknet market product, and historical patterns of how drugs get bought and sold parallel illicit cryptocurrency flows last year. Generally speaking, drugs are grown or manufactured in Latin America and Asia and consumed in North America and Northern and Western Europe. Darknet vendors and administrators typically launder funds through cryptocurrency services often using the services of over-the-counter brokers located in China or Eastern Europe.
For funds being moved out of darknets by sellers and administrators taking a cut of every transaction, Chainalysis reported that from 2019 to 2020, it saw a marked increase, from 5% to 13%, in the share of funds being routed first to laundering or mixing services, which are also known as tumbling services. These third-party services attempt to mix bitcoins by routing them between numerous addresses as a way of laundering the cryptocurrency. In return, mixing service administrators keep a percentage of all cryptocurrency they mix. The increased use of such services may reflect increasing caution from darknet market vendors and administrators following law enforcement crackdowns.
While Hydra still dominates the darknet market landscape, the site's administrators try to restrict its use to Russian speakers. This is part of a broader trend, bolstered by a distrust of the West as well as a desire to keep foreign law enforcement agencies at bay. With colloquialism-laden posts and listings and a trust-based system designed to block unwanted users nonnative Russian speakers who want to gain access to Russian-language forums, including Hydra, face numerous language hurdles.
Hydra is designed to serve domestic buyers and sellers, at least where physical goods are concerned. As Vice reported in 2020, part of Hydra's popularity can be tied to constant innovation. For example, in training an army of couriers to use dead drops for fulfilling drug deliveries in Russia.
"The online stores on Hydra employ drug dealers known as kladmen ('treasuremen' or 'droppers'), whose job is to stash drugs in GPS-tagged hiding spots ready for pick up by online buyers," Vice reports. "It’s a street-tech workaround in a country where the postal system is slow and unreliable and regular street drug dealing is highly risky."
Other goods and services are also available via darknet markets. The BBC reports that two teenagers in Russia admitted to fulfilling a murder-for-hire contract against a police inspector, Evgenia Shishkina, near Moscow in October 2018, in return for 1 million rubles (about US$13,500). A darknet drug seller the BBC reporter was investigating allegedly hired the hitman and his accomplice via a listing on Hydra.
Our cool tool, RedXray can help with supporting network defenses and MSSP’s - in a proactive manner - by identifying underground threats and vulnerabilities.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941