The last few months have not been kind to dark web markets. After a year-long period of relative stability, two major markets went dark in July – and that’s just the beginning. In the last two weeks, almost all the remaining marketplaces have gone down – and stayed down for days at a time – in what appears to be a sustained, coordinated DDoS attack – Operation Bayonet.

On July 4th, Alphabay, the largest dark web market we’ve ever seen, disappeared, causing its users to flee to other markets. The main destination of these “Alphabay refugees” was Hansa, a smaller but reliable second-favorite. Then, on July 20th, the U.S. Department of Justice, in cooperation with Europol and other international partners announced that U.S. law enforcement had shut down Alphabay as part of Operation Bayonet. Across the pond, Europol had secretly taken over Hansa and had maintained the site as a honeypot, capturing the information of thousands of new users as they fled from Alphabay to Hansa. This revelation sent the dark web drug community into a tailspin of fear, uncertainty, and doubt; if Alphabay and Hansa had both been taken over, could any market be safe?

After Operation Bayonet, the natural refuge for the thousands of displaced vendors and despondent buyers left behind was Dream Market, now the largest and best-known remaining marketplace. However, aftermarket staff repeatedly refused to ban vendors who scammed users or had their accounts taken over by law enforcement, users and vendors deeply distrusted Dream. Enter Trade Route, a smaller market that users pointed to as the next great hope of the dark web drug scene: Trade Route was new, only a few months old, and posts promoting the market highlighted the many security features the market had implemented to protect buyers, vendors, and the bitcoins they deposited into the site. If any site was immune to the security flaws that had brought down Alphabay and Hansa, users argued, Trade Route was.

For a few months, the community entered a holding pattern – while clearly shaken by Operation Bayonet, users and vendors were slowly beginning to find other sites. The respite did not last for long: at the end of September, multiple sites, including Trade Route and the Dream, began to suffer crippling DDoS attacks that would render the sites inaccessible to buyers and vendors. DDoS (Distributed Denial of Service) attacks bombard websites with traffic – usually supplied by bots that are programmed to keep visiting the site over and over – overloading the site’s servers and forcing the site offline. Over the days and weeks, more sites began to fall victim to the attacks, with the top five sites offline for days at a time. Dark web marketplaces are no strangers to being DDoSed – it’s not uncommon for sites to attack each other in order to drive buyers away from their competitors or for disgruntled users to turn their frustrations on a site – but the length and breadth of this attack is unprecedented. Few people, alone or working as a group, have the resources to target a single site for weeks at a time, let alone half a dozen or more.

In the midst of the chaos caused by the sustained DDoSing, newly-popular Trade Route began to unravel. As the DDoS attacks went on, a well-known phisher revealed that he had been extorting the staff of the market for weeks, demanding payments in exchange to silence about vulnerabilities he had discovered in the structure of the market. In response to the phisher’s post, Trade Route’s administrators exit-scammed, closing the market and running off with all the Bitcoin users had deposited. Meanwhile, the attacks continued to target the remaining marketplaces.

The dark web community has never seen attacks of this length and scope before, and no one knows what will make them stop – except, of course, the attackers. In a conversation between the spokespeople for two markets, one representative alluded to receiving “silly demands.” While other markets have not indicated publicly that they received demands as well, all marketplace statements have referenced the DDoSing as the reason their sites have been inaccessible and no individual or group has taken credit for the attacks. Some sites have released formal statements that market staff have taken steps to make their markets less vulnerable to DDoSing: some sites have created mirrors to their main sites, while others have instituted anti-DDoS captchas. While these measures have made sites slightly more accessible, the attacks have still not stopped. Currently, the identities and motives of the attackers is unknown.

Meanwhile, as usual, fraud-focused markets and forums have escaped the turmoil and attacks affecting the more metropolitan, drug-focused marketplaces. In the wake of the Alphabay and Hansa takedowns, the fraud markets barely flinched, and business continues largely as usual. Even on the dark web, and even in the otherwise unstable market ecosystem, fraud finds a way.