Guest written by Rick Holland, VP Strategy at Digital Shadows
The law enforcement operations that took down the AlphaBay and Hansa marketplaces were meant to strike a sizable blow to the online trade of illegal goods and services. Frequenters of these services might now think twice before placing their trust in these unregulated platforms, and there may well be further arrests to follow as investigations and analysis into the materials seized in these raids run their course.
However, when a drug enforcement operation completes a major bust or arrests a large number of individuals, there is often always another group, or new recruits, ready to fill the void. Similarly, our analysis of the broader cybercriminal ecosystem suggests that the impact of the AlphaBay and Hansa closures will be somewhat short-lived, for at least three reasons:
The game of whack-a-mole continues, cybercrime will find a way
With AlphaBay and Hansa out of the picture, sellers and users will flock to other marketplaces to continue trading as before. This has been evident already, with former AlphaBay and Hansa users advertising on established forums such as Dream Market, TradeRoute, House of Lions and Wall Street Market, which we focused on in our previous blog.
Marketplace takedowns are not a new phenomenon. When Silk Road, once the largest and most popular dark web marketplace, was disrupted by the Federal Bureau of Investigation (FBI) in 2013, this only precipitated the growth of other, alternative platforms. AlphaBay grew from Silk Road’s closure and eventually took on the mantle of the most popular dark web market. Subsequent reincarnations of Silk Road in the form of Silk Road 2.0 and Silk Road 3.0 exemplify how the cycle will likely continue for the foreseeable future.
We have seen alternatives emerge as a result of marketplace exit scams as well. In 2015, administrators from the Evolution Marketplace stole an estimated 40,000 BTC. Dream Market was once of the beneficiaries of that exit scam. Just as Jeff Goldblum’s Jurassic Park character, Doctor Ian Malcolm says, “Life uh, finds a way,” cybercrime finds a way as well. Commerce must flow; buyers and sellers need to be connected.
AlphaBay and Hansa were only a part of a broader cybercrime ecosystem
Yes, AlphaBay and Hansa were two of the most popular English-language dark web marketplaces. And yes, they had dedicated sections for fraud-related goods (stolen payment card information, counterfeit documents, and compromised bank accounts), as well as malware and hacking tools (the RIG and Bleeding life exploit kits were previously advertised on AlphaBay). However, from an information security perspective, we should remember that most of the products advertised on these platforms were for drugs, weapons, and digital goods such as media accounts and service subscriptions.
Our research shows that there are other forums specifically dedicated to hacking and security, which often act as a platform for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as ransomware variants, exploit kits, compromised accounts and payment card data. These sites work on a direct transfer system where vendors and customers will communicate directly to arrange payment, often through messaging services such as Jabber. Often sellers will advertise their products on these forums, and then direct users to dark web sites to then arrange payment.
Where stolen databases have appeared on sites like Hansa, we assessed it to be highly likely that these datasets were previously traded widely through other criminal networks and then listed on these marketplaces only once their value had been exhausted.
Payment card fraud is a good example of why we should not focus too heavily on marketplaces. There are countless carding and Automated Vending Cart (AVC) sites dedicated to payment card fraud. These types of sites often provide tutorials and courses for novice fraudsters, as we highlight in our recent whitepaper. With new carding and AVC sites emerging every day, this type of activity will continue unabated despite the AlphaBay and Hansa takedowns.