It’s November, and the major dark web markets are still down. This unprecedented, ongoing DDoS attack across the remaining major markets has left the dark web working through mirrors and back channels for almost a month. Some in the community anticipated a moment of resolution (or relief) around Halloween, or perhaps on November 5th, echoing the 2014 law enforcement takedown effort known as Operation Onymous. The holidays have come and gone, and the markets are still down—now what?
Not too much has changed since we first wrote about the market downtime last month. Many of the major markets are still down consistently, though we have seen intermittent uptime on Dream, the largest (and least trusted) of the markets still running. Market admins continue to report powerful DDoS attacks, with no end in sight.
The admins are fighting back, however, in the few ways that they can. Many of the markets now have multiple mirrors, which are largely functional at any given time. Users are still able to access the sites, contact vendors, place orders, and file disputes. After the Alphabay takedown, we’ve seen users adapt to increased instability; users are now more accepting of increased downtime, and anticipate needing to try multiple mirrors before gaining access to a market. Disruption is the new normal.
We have seen one market announce plans to close its doors, however. RSClub, a small but steady figure on the market list, issued a statement last week that they would be shutting down as of December 1st. The admins revealed that (supposedly) an attacker was able to exploit a bug in the site and run off with $100,000 in bitcoin from users’ wallets. Users have been asked to file reimbursement requests, which the admins have offered to pay out of their own pockets. RSClub is taking the month to shut down their registration, refund users, and close up shop. Another market gone.
After almost a month of sustained DDoS attacks on the main sites, where do we go from here? Will the markets resurface under their main URLs? Will the mirrors become the main links, and will we see those targeted just as heavily? Why are the mirrors still largely functional? Will we have a clearer sense of attribution or motive behind the attacks going forward? Everyone’s asking - what’s next?
There are a few possibilities beginning to take shape. Users may continue to work around the downtime, as we’ve seen them do in previous weeks. The list of market mirrors continues to grow, and users are content to access the site through whatever link may be up and running at a given moment. The dark web is unstable, and while this instability is unprecedented at scale, it’s a familiar beast for many users.
We may see more direct deals take place, or more development of single vendor shops. Users, particularly in the drug community, are loyal to their vendors. After exit scams or takedowns, users take to forums to ask after their vendors; loyalty to a market alone is rare. Vendor shops are more tenuous, however, as smaller markets are easy to target, security may not be as robust, and takedowns will target vendors rather than administrators.
Or we may see something new take shape. We may see increased decentralization, or a turn to a new type of market structure entirely, or perhaps even another major market rise to prominence (though that seems unlikely under the current environment). For now, the community has more questions than answers, and there are still plenty of holidays to go around. We may yet see a seasonal resolution. Only time will tell.