Red Teaming

8 min read

The Life and Death of Dark Web Markets

Darknet markets are where cyber exploits, malware, and lots of illegal items are sold on the Dark Web. They're launched, then the cops bring them down! Learn all about it.

KimCrawley avatar

KimCrawley,
Sep 14
2021

The Dark Web is the part of the web that’s only accessible through proxy networks, Tor and I2P specifically. You may be surprised that a lot of mainstream organizations have websites on the Tor Network, including Facebook and the BBC. The Tor and I2P networks provide people with an important tool they can use to communicate while keeping their identities private. For instance, journalists who work in parts of the world that are at war have used Tor to do their very important research and activism work. Using Tor and I2P is legal in most of the world outside of China.

If you’d like to learn more about the Dark Web and how you can legally explore it yourself, check out my Dark Web exploration guide for n00bs here. I recommend that you launch Pwnbox, then you can use Tor Browser from there to see what’s on the Dark Web. 

I do a lot of research on the Dark Web for the financial services sector. Because although a lot of the content on the Dark Web is legal and innocuous, the privacy that proxy networks provide has also made it a tool for criminals. 

Dark Web markets are the number one destination for cybercriminals who want to sell malware, ransomware-as-a-service, and databases of breached data. A lot of the breached data that can be purchased through Dark Web markets for cryptocurrency is very dangerous in the wrong hands. Criminals are selling credit card numbers, usernames and passwords, and “fullz”-- the information that’s needed to engage in identity and financial fraud. Almost everything else you can imagine that’s illegal is sold in Dark Web markets too.

In addition to my Dark Web research, I also really enjoyed watching “How To Sell Drugs Online (Fast)” on Netflix. It’s a three season show about a few German teenagers who... sell drugs online. I was impressed with the technological accuracy of the show. All of the computer networking and web development technicalities depicted in the show were accurate. But there are two major differences between Moritz Zimmermann’s MyDrugs from the show and how illegal substances and cybercrime are typically sold through the internet these days. First of all, MyDrugs was on the clearnet, the internet outside of the darknet. Secondly, Moritz and Lenny acquired the illegal substances themselves. They were both market operators and vendors. No wonder they had so many problems!

Most illegal drug dealers online work differently. The operators of Dark Web markets are separate from their vendors. And of course, their sites can only be accessed through Tor and I2P. In real life, Dark Web markets work similarly to eBay. Just think of them as “if eBay was for bad stuff.” Anyone who follows the right steps can set up an account to sell illegal things on a Dark Web market, or conversely, to buy those things as a customer. And the same sites with vendors who sell illegal drugs also have vendors who sell breached financial data, phishing kits, and other cybercrime weapons. It’s my job to observe it, take notes. I also see that these Dark Web market vendors and buyers are playing a dangerous game. Because although it’s more difficult for law enforcement to investigate Dark Web crime, the cops are often successful. Using the Dark Web is no guarantee that you won’t get caught.

Here’s a brief history of some Dark Web markets that have risen and fallen over the past few years.

Recommended read: Dread Forums: The Dark Web's Reddit

 

Silk Road

The very first modern darknet market was Silk Road. It launched in February 2011, on the Tor Network. And when Adrian Chen reported on Silk Road for Gawker in June 2011, curiosity in the new underground market exploded. Chen wrote:

“Silk Road, a digital black market that sits just below most internet users' purview, does resemble something from a cyberpunk novel. Through a combination of anonymity technology and a sophisticated user-feedback system, Silk Road makes buying and selling illegal drugs as easy as buying used electronics—and seemingly as safe. It's Amazon—if Amazon sold mind-altering chemicals...

Getting to Silk Road is tricky. The URL seems made to be forgotten. But don't point your browser there yet. It's only accessible through the anonymizing network TOR, which requires a bit of technical skill to configure.

Once you're there, it's hard to believe that Silk Road isn't simply a scam. Such brazenness is usually displayed only by those fake ‘online pharmacies’ that dupe the dumb and flaccid. There's no sly, Craigslist-style code names here. But while scammers do use the site, most of the listings are legit...

Silk Road cuts down on scams with a reputation-based trading system familiar to anyone who's used Amazon or eBay. The user Bloomingcolor appears to be an especially trusted vendor, specializing in psychedelics. One happy customer wrote on his profile: ‘Excellent quality. Packing, and communication. Arrived exactly as described." They gave the transaction five points out of five.’”

Law enforcement were compelled to stop Silk Road to prevent an online black market from thriving. In May 2013, they conducted DDoS (distributed denial of service) attacks on Silk Road’s Tor-hosted web servers, overwhelming the servers with data and forcing them to go offline. From there, the cops were able to investigate whoever was running the site.

The administrator of Silk Road went by the username Dread Pirate Roberts. Investigation with a combination of digital forensics techniques and old fashioned police work revealed that his real name is Ross Ulbricht. The FBI managed to arrest Ulbricht and shut down Silk Road for good in October 2013. Ulbricht was criminally convicted of “engaging in a continuing criminal enterprise, narcotics trafficking, money laundering, and computer hacking” in February 2015.

 

AlphaBay

AlphaBay was born in Silk Road’s ashes, but made by someone with no connection to “Dread Pirate Roberts.” It launched on Tor in late 2014. There were 14,000 new users of the site within the first 90 days of its existence. Clearly, Silk Road’s death didn’t kill the demand for illegal darknet markets.

By October 2015, AlphaBay had 200,000 users. And by the time law enforcement brought it down in July 2017, they had a whopping 400,000 users.

AlphaBay’s administrator used the username “Alpha02.” Law enforcement investigation came to the conclusion that “Alpha02” was Alexandre Cazes, a then 26 year old Canadian living the high life in Thailand from his illegal moneymaking. He reportedly drove expensive cars and lived in luxury.

Part of Cazes’ downfall is that he used his Hotmail account on the site, the same Hotmail email address that he used on LinkedIn with his real name. Oops!

By July 2017, the cops caught up with Cazes and arrested him. Cazes’ downfall was tragic indeed, he apparently killed himself in his jail cell. From The Star (Malaysia):

“A 26-year-old Canadian found dead in his Thai police cell this week was wanted in the US for allegedly running a massive ‘dark web’ marketplace for drugs and other contraband, a police source said. Thai cops arrested Alexandre Cazes in Bangkok on July 5 and had planned to extradite him to the US, where he faced drug trafficking and money laundering charges. But the computer programmer hanged himself with a towel in his detention cell a week later on July 12, according to Thai anti-narcotics police, who have been tight-lipped on the details of his case. Yesterday, a Thai officer confirmed Cazes was accused of being an ‘operator’ of a major online black market.”

 

Dream Market

Dream Market launched on Tor sometime between November and December 2013-- after Silk Road’s downfall but roughly a year before AlphaBay’s debut. But Dream Market had incredible resilience by darknet market standards. The site ran for about five and a half years, eventually shut down by law enforcement in April 2019.

DeepDotWeb reported the news of Dream Market’s death that same year:

“On March 26, customers and vendors logged into their Dream Market accounts and found themselves unable to use the marketplace’s most basic functions. The marketplace had replaced the listings for drugs, stolen Netflix passwords, and fraud guides with a message that announced the market’s shutdown and so-called ‘transfer.’ The message lacked any real information and raised concerns about the funds users had deposited in wallets on Dream Market.

‘This market is shutting down on 04/30/2019 and is transferring its services to a partner company, onion address: weroidjkazxqds2l.onion (currently offline, opening soon),’ marketplace staff wrote. Unable to find any useful information about the shutdown and ‘transfer’ on Dream Market, users posted questions on Dread and on some of the subreddits for dark web users that dodged Reddit’s last banhammer...

Dream Market announced the shutdown after seven weeks of intense DDoS attacks that rendered the market inaccessible at times. At the height of the attacks, users questioned whether or not law enforcement had a role in crippling the marketplace. Since then, various members of the community provided information on the situation on the attacker. Nearly a month prior to the announcement from Dream Market, the creator of Dread confirmed that an extortionist had attacked both Dread and Dream Market. In one comment about a separate attack against Dread, HugBunter wrote that the entity behind the Dream Market attack had launched the attack in an attempt to extort the Dream Market administrator for 400,000 USD. ‘[The attacker] is continuing to attack waiting to see if SpeedStepper gives in to pay him off, it is literally just an extortion attempt, no other motive,’ HugBunter wrote in a comment on Dread.”

So once again, DDoS attacks were successfully orchestrated by law enforcement. Then it was easier for them to penetrate Dream Market’s servers and investigate the operator. Gal Vallerius was arrested in August 2017. When he tried to cross a border, his laptop was searched and it was confirmed that he was OxyMonster, an online drug dealer.

Pwnbox

Pwnbox is a great way to use Tor

I recommend Pwnbox as a great way to use Tor Browser. You can explore how the Tor network and its onion routers work, hands on. Hack The Box VIP+ subscribers get unlimited Pwnbox use, perfect for learning how to use the Tor network!

Hack The Blog

The latest news and updates, direct from Hack The Box