Dark Web Instability: What Happened To All The Markets?

Next: The Equifax Breach, the Dark Web, and the...
Previous: No Second Onymous (Yet): Major Dark Web Markets...
Where have all of the good markets gone?
Writer Emma Z.
October 27, 2017

Emma serves as the Director of Analysis at Terbium Labs, working on evaluating and contextualizing threats to customer data. She spends a lot of time reading forum drama on the dark web, writing regular expressions, and drinking LaCroix on the train between DC and Baltimore.

The last few months have not been kind to dark web markets. After a year-long period of relative stability, two major markets went dark in July - and that’s just the beginning. In the last two weeks, almost all the remaining marketplaces have gone down - and stayed down for days at a time - in what appears to be a sustained, coordinated DDoS attack.

On July 4th, Alphabay, the largest dark web market we’ve ever seen, disappeared, causing its users to flee to other markets. The main destination of these “Alphabay refugees” was Hansa, a smaller but reliable second-favorite. Then, on July 20th, the U.S. Department of Justice, in cooperation with Europol and other international partners announced that U.S. law enforcement had shut down Alphabay as part of Operation Bayonet. Across the pond, Europol had secretly taken over Hansa and had maintained the site as a honeypot, capturing the information of thousands of new users as they fled from Alphabay to Hansa. This revelation sent the dark web drug community into a tailspin of fear, uncertainty, and doubt; if Alphabay and Hansa had both been taken over, could any market be safe?

After Operation Bayonet, the natural refuge for the thousands of displaced vendors and despondent buyers left behind was Dream Market, now the largest and best-known remaining marketplace. However, after market staff repeatedly refused to ban vendors who scammed users or had their accounts taken over by law enforcement, users and vendors deeply distrusted Dream. Enter Trade Route, a smaller market that users pointed to as the next great hope of the dark web drug scene: Trade Route was new, only a few months old, and posts promoting the market highlighted the many security features the market had implemented to protect buyers, vendors, and the bitcoins they deposited into the site. If any site was immune to the security flaws that had brought down Alphabay and Hansa, users argued, Trade Route was.

For a few months, the community entered a holding pattern - while clearly shaken by Operation Bayonet, users and vendors were slowly beginning to find other sites. The respite did not last for long: at the end of September, multiple sites, including Trade Route and the Dream, began to suffer crippling DDoS attacks that would render the sites inaccessible to buyers and vendors. DDoS (Distributed Denial of Service) attacks bombard websites with traffic - usually supplied by bots that are programmed to keep visiting the site over and over - overloading the site’s servers and forcing the site offline. Over the days and weeks, more sites began to fall victim to the attacks, with the top five sites offline for days at a time. Dark web marketplaces are no strangers to being DDoSed - it’s not uncommon for sites to attack each other in order to drive buyers away from their competitors or for disgruntled users to turn their frustrations on a site - but the length and breadth of this attack is unprecedented. Few people, alone or working as a group, have the resources to target a single site for weeks at a time, let alone half a dozen or more.

In the midst of the chaos caused by the sustained DDoSing, newly-popular Trade Route began to unravel. As the DDoS attacks went on, a well-known phisher revealed that he had been extorting the staff of the market for weeks, demanding payments in exchange to silence about vulnerabilities he had discovered in the structure of the market. In response to the phisher’s post, Trade Route’s administrators exit-scammed, closing the market and running off with all the Bitcoin users had deposited. Meanwhile the attacks continued to target the remaining marketplaces.

The dark web community has never seen attacks of this length and scope before, and no one knows what will make them stop - except, of course, the attackers. In a conversation between the spokespeople for two markets, one representative alluded to receiving “silly demands.” While other markets have not indicated publicly that they received demands as well, all marketplace statements have referenced the DDoSing as the reason their sites have been inaccessible and no individual or group has taken credit for the attacks. Some sites have released formal statements that market staff have taken steps to make their markets less vulnerable to DDoSing: some sites have created mirrors to their main sites, while others have instituted anti-DDoS captchas. While these measures have made sites slightly more accessible, the attacks have still not stopped. Currently, the identities and motives of the attackers is unknown.

Meanwhile, as usual, fraud-focused markets and forums have escaped the turmoil and attacks affecting the more metropolitan, drug-focused marketplaces. In the wake of the Alphabay and Hansa takedowns, the fraud markets barely flinched, and business continues largely as usual. Even on the dark web, and even in the otherwise unstable market ecosystem, fraud finds a way.

analysis June 24, 2019
New Research: Terbium Labs Uncovers Pervasive Links Between Fraud and Transnational Crime

Terbium Labs investigated the links between payment fraud and serious transnational crime. This research begins to fill a gap in understanding about the use of fraudulent financing in some of the most heinous crimes...

analysis April 17, 2019
Terbium Labs Investigates Dark Web Fraud Guides for an Inside Look on Cyber Crime

With our latest research, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data, Terbium Labs investigates dark web fraud guides to create a detailed, first-hand account of the illicit...