Many Vendors of Illegal Drugs, Weapons, Hacking Tools Prefer Markets
Empire darknet market vendor announces move to the Wickr encrypted app, in a post to Dread, a Reddit-like forum for dark web discussions (Source: Digital Shadows)
With so many cybercrime markets continuing to disappear, why haven’t more users simply switched to using encrypted messaging apps?
Numerous darknet – aka dark web – cybercrime markets have gone bust after their administrators disappeared with all of the cryptocurrency being held in escrow. These so-called exit scams, when timed well, can leave admins $10 million or more richer. Hence the appeal of such schemes is easy to see.
“Most instant messaging platforms tend to be smaller in terms of number of participants and also geographically focused or limited by language – limiting the reach.”
In recent weeks, one leading market on the darknet – meaning it can only be reached via the anonymizing Tor browser – called Empire disappeared after an exit scam. One of its main rivals, Icarus, subsequently appears to have done the same. Drawn by markets’ ease of use, and few great alternatives, many users will no doubt now try their luck with a new market (see: Why Darknet Markets Persist).
Cybercrime forum post in which users discuss alternatives to replace Empire, including Icarus (Source: Bleeping Computer, via Kela)
Given darknet markets’ downsides, encrypted messaging apps might seem to be a perfect alternative because they facilitate one-to-one communication, encrypted from end to end. At least in theory, buyers and sellers can communicate without anyone else getting in the way or eavesdropping, thus solving many of the problems facing market users.
Last year, Europol warned that many darknet marketplace-using buyers and sellers, stung by police takedowns of AlphaBay, Hansa and other marketplaces, were moving away from Tor-based centralized markets and adopting encrypted messaging apps instead.
“They’re distributing themselves, so they’re moving more to encrypted, distributed marketplaces, like you’d see in Telegram or WhatsApp,” computer security expert Alan Woodward, a visiting professor at England’s University of Surrey and cybersecurity adviser to Europol, told me last year. Other widely used apps include Discord, Jabber and Wickr.
Messaging Platforms: Upsides, Downsides
Other experts agree that many criminals rely on encrypted chat apps. But as the continuing use of darknet markets demonstrates, encrypted chat apps have yet to displace either markets or forums.
For both buyers and sellers, encrypted apps have downsides. One is the challenge of finding – or marketing – goods and services being provided via chat apps.
A former darknet market vendor asks buyers to move to Wickr (Source: Bleeping Computer, via Kela)
Fear about the reliability of legitimate platforms – and of the risk of getting sold out – is another factor. “By trusting a legitimate third-party application’s encryption and anonymity policies, threat actors are placing their trust in non-criminals,” the “Photon Research Team” at digital risk protection firm Digital Shadows tells me.
Criminals typically prefer to avoid such situations. “Compare this to forums or marketplaces, whose administrators have a vested interest in maintaining the ultimate levels of security and anonymity,” they say.
Chat platforms’ smaller scale can also be an unwelcome limitation for criminals because fewer customers means lower profits for sellers or chat-channel administrators.
“Most instant messaging platforms tend to be smaller in terms of number of participants and also geographically focused or limited by language – limiting the reach,” Raveed Laeb and Victoria Kivilevich, respectively product manager and threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela, tell me.
“Another limit is that many chat channels focus on one subject – meaning that one channel features drugs, another one offers enrolls and so on. Thus, it lowers potential profits for the channel’s admins,” they say.
A buyer seeks to reestablish communications with an Empire vendor, via Wickr, after Empire’s exit scam (Source: Kela)
If time is money, markets clearly remain the more lucrative – if potentially less safe – approach for a great many buyers and sellers alike. “It is much easier to run a search on a marketplace, or to know that as a vendor you can advertise your products to a market’s entire user base,” the Digital Shadows researchers say.
Encrypted Apps: Police Target
While encrypted chat apps might seem safer than darknet markets, they don’t make users invisible. “Instant messaging platforms are not necessarily a safe haven for criminal or extremist content, as some media outlets like to report,” the Kela researchers say. “A good example here, just because it’s local, would be Telegrass.”
Telegrass is a chat service run on the encrypted messaging service Telegram, supporting a cannabis distribution network that police say was the largest in Israel, at least until police last year arrested 42 individuals, including Telegrass’s alleged leaders. Likened to “Uber for pot,” Telegrass also sells a variety of other illegal drugs, including LSD, cocaine and MDMA, also known as ecstasy.
“The Israeli police don’t really have an incentive or ability to go after Empire’s admins, but they do have both an incentive and ability to go after the Telegrass admins,” the Kela researchers say.
‘Roll Your Own’ Downsides
One alternative is a custom, encrypted chat service created by criminals, for criminals, perhaps backed by an encrypted communications service, including dedicated handsets. But this approach also has a poor track record.
After a multiyear investigation, police this past summer shut down the encrypted communications network EncroChat, which sold smartphones for about $1,000, with a six-month service plan running $1,700. The investigation led to the arrest of 746 suspects in the U.K. and more than 100 in the Netherlands, as well as the seizure of more than 8,000 kilos of cocaine, 1,200 kilos of crystal meth and $67 million in cash.
Clearly, trying to sell illegal substances online remains challenging for buyers, sellers and service providers alike.
In response, some markets have moved to drop illegal drugs and begun adopting an “automarket” approach that focuses on self-fulfilled sales of malware, stolen databases, login credentials and other hacking and cybercrime tools and services, the Kela researchers say. Criminals’ thinking, they note, appears to be that by not selling drugs, and with malicious “cyber” tools existing in a legal gray zone in many jurisdictions, such markets will be less likely to get disrupted.
Perhaps so, but if there’s one truism about selling illegal goods and services on the internet – including via darknet markets, forums and encrypted chat apps – criminals have yet to find a foolproof or police-proof approach.