In late 2018, Terbium Labs released Trends and Projections in the Dark Web Data Trade, highlighting our predictions for the coming year. Over the coming months, we will unpack those trends in a series of blog posts highlighting the events that shaped our predictions and the developments in those trends since the beginning of the year. For the first post in this series, we unpack the increased law enforcement attention toward cyber-enabled fraud and the shift in resources allocated to taking down dark web communities trading compromised data and financial details.
Historically, much of the attention around dark web takedowns focused on physical goods, with law enforcement efforts focused primarily on drugs and weapons trafficking. In 2013, when the Justice Department executed a takedown of the infamous Silk Road Marketplace, the press release focused on the market’s drug activity, noting “drug dealers and other unlawful vendors” were using the site to “buy and sell hundreds of kilograms of illegal drugs and other unlawful goods and services.” A few years later, law enforcement executed another major takedown as part of Operation Onymous, shutting down Silk Road 2.0 and a handful of other illicit markets. With Operation Onymous, law enforcement issued more explicit language about the fraud problem likely due to a handful of the fraud-specific smaller markets in the takedown. The release noted that the “advertised goods and services included, among other things: illegal narcotics; firearms; stolen credit card data and personal identification information; counterfeit currency; fake passports and other identification documents; and computer-hacking tools and services.” Drugs and weapons held fast as the primary targets, but fraud and data compromise received honorable mentions.
Fast forward to July 2017, when the Justice Department announced the seizure of Alphabay as part of Operation Bayonet. In coverage of Operation Bayonet, the focus on drugs continued. The press release called Alphabay a “major source of fentanyl and heroin, linked to overdose deaths, and used by hundreds of thousands of people to buy and sell illegal goods and services.” In classifying Hansa Market, another large dark web market taken down in the same operation, the released put drugs front and center, claiming that “like Alphabay, Hansa Market was used to facilitate the sale of illegal drugs, toxic chemicals, malware, counterfeit identification documents, and illegal services.”
Let’s be clear: drugs are popular goods on the dark web, and in some cases, they are the dominant listings on major dark web markets. Drugs warrant attention from law enforcement, and increased rates of overdoses—particularly from fentanyl and other synthetic opioids—are an ongoing problem that demand international attention. Drugs are a problem, yes, but the drug trade should not be the sole focus of criminal takedowns. The fraud economy on the dark web is too established and too pervasive to only ever be collateral damage in the process of a drug bust.
Drugs and weapons make headlines—they seize on tangible, physical threats and a common enemy, whether violent attacks or the ongoing efforts in the so-called war on drugs. Fraud is a more insidious enemy, often dismissed as a victimless crime that causes a financial inconvenience for banks and temporary frustration for customers. For many, fraud seems unfortunate and irritating but hardly problematic on the scale of arms trafficking. This perception puts us at a dangerous disadvantage in facing the developing profile of criminal activity.
We need to change the way we think about fraud. Financial data and personal information records are listed and sold by the millions on the dark web. The compounding effects of large-scale data breaches provide more raw materials for criminals to exploit in consumer phishing schemes, credential stuffing attacks, and business email compromise. Criminals use compromised financial data for quick cash-out schemes, yes, but also more pervasively—to launder money, pay mules, and cover the operational costs of their broader criminal enterprises. Data compromise fuels fraud, and fraud fuels a wide range of other criminal activity.
Law enforcement is taking notice and taking action. In February of 2018, the Justice Department issued an indictment for members of the InFraud organization, naming thirty-six defendants “responsible for more than $530 million in losses from cybercrimes.” InFraud was a prolific syndicate with an established online presence, much like the dozens of other dedicated fraud markets that make up the backbone of the dark web fraud community. For every independent shop or isolated vendor, the dark web fraud community has thriving hubs like InFraud that provide vital marketing and communication efforts to boost fraud sales and spread institutional knowledge between fraudsters. Taking down InFraud was a key signal to the fraud community: we see