While you were out preparing your costumes and decorations, dark web vendors offered a little Halloween festivity with discounts and new products. But it’s not all spooky savings – some dark web criminals aren’t afraid to do the cyber equivalent of toilet papering your trees. New holiday-themed ransomware also hit the web this year just in time for Halloween.

CANDY COUPONS

Halloween expenses can add up quickly. Between the costumes, the candy, and the decorations, your holiday bills can be a bit scary. Have no fear, you can purchase coupons for all of your most important ghoulish needs!

On one of the largest dark web markets, AlphaBay, vendor TeamLotus sold coupons for decorations, candy, and even pet costumes. These 73 coupons expire 90 days after the initial download. They work only in the United States and sell for $19.98. The coupons were described as “exactly like the leading internet coupons and work even better”. It’s unclear if these coupons are copies of real company issued coupons or if they are fraudulent, and the vendor did not provide any specific information about the retailers involved.

THIS IS HALLOWEEN, EVERYBODY MAKE SCENE

Recently, we have seen a dramatic increase in discussions around fentanyl on the dark web. This synthetic narcotic has a high addiction and dependence risk and has been cited in many recent overdoses.

Vendor getting offers a Halloween special on their 15 ml furanyl fentanyl. The dispenser reportedly contains 150 sprays and costs $30 before shipping. This vendor has high trust and stealth levels according to reviews, and the market indicates this particular listing has been purchased 56 times since the listing was first posted. The sale was originally supposed to end on October 24th, but the vendor decided to leave the listing up – nothing like an extended sale to get you in the holiday spirit.

GETTING INTO THE HALLOWEEN SPIRIT

Some drug vendors change their products to fit the holiday.

On dark web marketplace Hansa, vendor FatFreddysCatz posted three Halloween-themed THC-infused products. Their Gummy Ghosts and Glo Skulls retail for $18.34 (that will get you two gummies). Both gummies supposedly have an “eerie glow” under UV blacklight. As a holiday special, FatFreddysCatz made the skulls and ghosts double the concentration of his regular Gummy Catz.

FatFreddysCatz also sells Halloween Glo-Shots. One shot of either Radioactive Pink or Toxic Green goo sells for $12.15. The vendor even has serving recommendations: apparently the Glo-Shots go well with champagne.

HAUNTED HEROIN

Another Hansa Halloween sale appeared in the opioids section. Vendor ElectricMistress was selling a special 3g uncut black tar heroin. Like many vendors, ElectricMistress listed this $360 drug as “the best on the market”.

This vendor comes highly recommended for their stealth, generosity (they always include extra products according to reviews), and customer service.

PASTEBIN PUMPKIN

If you are looking to continue carving out some nice savings, look no further than Pastebin. Pastebin offered a Halloween special on their pro accounts. For a limited time, Lifetime Pro accounts were 40% off.

PUMPKIN SPICE RANSOMWARE

Recipients are in for a nasty treat with a recent form of ransomware. A version of Locky ransomware appeared with 40 mentions of the word “PUMPKIN” scattered throughout the code. Locky takes hold when the victim opens a .zip file titled “Receipt XXX-XXX.” To receive the private key to decrypt the files, victims must pay a ransom to unlock their files. If they’re lucky the money they saved with their Halloween coupons will be enough to get their files back.

Halloween is the first of many holidays observed on the dark web during the holiday season. As we progress deeper into the holiday season, we can expect to see more festive activity on the dark web.

ONE MORE THING

In case you needed another reminder that nearly everything is connected to the internet now, security researchers have found vulnerabilities in an Android app that could allow hackers to steal your phone’s data – from your crockpot. Like most Internet-of-Things devices, the crockpot wasn’t designed to receive automatic security updates. Owners will have to download and install the patch themselves. So much for “set it and forget it.”

Want to learn more about the dark web economy? Visit our whitepapers page.