No Second Onymous (Yet): Major Dark Web Markets Still Down

Next: Dark Web Instability: What Happened To All The...
Previous: Conferences You Should Know About: A Recap of...
Is somebody going to clean this up?
Writer Emily W.
November 06, 2017

Emily serves as the VP of Research at Terbium Labs. With a background in International Relations, Emily alternates between quiet rants about Russian politics and foreign policy, while crafting blog posts about the realities of the Dark Web (hint: red rooms aren't real).

It’s November, and the major dark web markets are still down. This unprecedented, ongoing DDoS attack across the remaining major markets has left the dark web working through mirrors and back channels for almost a month. Some in the community anticipated a moment of resolution (or relief) around Halloween, or perhaps on November 5th, echoing the 2014 law enforcement takedown effort known as Operation Onymous. The holidays have come and gone, and the markets are still down—now what?

Current Status

Not too much has changed since we first wrote about the market downtime last month. Many of the major markets are still down consistently, though we have seen intermittent uptime on Dream, the largest (and least trusted) of the markets still running. Market admins continue to report powerful DDoS attacks, with no end in sight.

The admins are fighting back, however, in the few ways that they can. Many of the markets now have multiple mirrors, which are largely functional at any given time. Users are still able to access the sites, contact vendors, place orders, and file disputes. After the Alphabay takedown, we’ve seen users adapt to increased instability; users are now more accepting of increased downtime, and anticipate needing to try multiple mirrors before gaining access to a market. Disruption is the new normal.

We have seen one market announce plans to close its doors, however. RSClub, a small but steady figure on the market list, issued a statement last week that they would be shutting down as of December 1st. The admins revealed that (supposedly) an attacker was able to exploit a bug in the site and run off with $100,000 in bitcoin from users’ wallets. Users have been asked to file reimbursement requests, which the admins have offered to pay out of their own pockets. RSClub is taking the month to shut down their registration, refund users, and close up shop. Another market gone.

What’s Next?

After almost a month of sustained DDoS attacks on the main sites, where do we go from here? Will the markets resurface under their main URLs? Will the mirrors become the main links, and will we see those targeted just as heavily? Why are the mirrors still largely functional? Will we have a clearer sense of attribution or motive behind the attacks going forward? Everyone’s asking - what’s next?

There are a few possibilities beginning to take shape. Users may continue to work around the downtime, as we’ve seen them do in previous weeks. The list of market mirrors continues to grow, and users are content to access the site through whatever link may be up and running at a given moment. The dark web is unstable, and while this instability is unprecedented at scale, it’s a familiar beast for many users.

We may see more direct deals take place, or more development of single vendor shops. Users, particularly in the drug community, are loyal to their vendors. After exit scams or takedowns, users take to forums to ask after their vendors; loyalty to a market alone is rare. Vendor shops are more tenuous, however, as smaller markets are easy to target, security may not be as robust, and takedowns will target vendors rather than administrators.

Or we may see something new take shape. We may see increased decentralization, or a turn to a new type of market structure entirely, or perhaps even another major market rise to prominence (though that seems unlikely under the current environment). For now, the community has more questions than answers, and there are still plenty of holidays to go around. We may yet see a seasonal resolution. Only time will tell.

analysis June 24, 2019
New Research: Terbium Labs Uncovers Pervasive Links Between Fraud and Transnational Crime

Terbium Labs investigated the links between payment fraud and serious transnational crime. This research begins to fill a gap in understanding about the use of fraudulent financing in some of the most heinous crimes...

analysis April 17, 2019
Terbium Labs Investigates Dark Web Fraud Guides for an Inside Look on Cyber Crime

With our latest research, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data, Terbium Labs investigates dark web fraud guides to create a detailed, first-hand account of the illicit...