Over the past week, an unknown malicious actor launched perhaps the biggest phishing attack against dark web marketplaces. This attack created havoc among their participants, and further questioned the very business model of dark web marketplaces. What happened, why is it significant, and what does this mean for the near future?
The Hacking of Dark Web Directories
There is no dark web search engine that comes even remotely close to the level of service that Google offers on the clearweb. Instead, dark web participants must rely on directories that list the latest domain names of marketplaces. Sometimes, these domain names change on an hourly basis to make it harder to track where the websites are hosted.
This means that most, if not all, dark web participants rely on just one or two trusted directories to source the links to marketplaces. The risk here is that participants will fetch a phishing site that will steal their credentials. If that were to happen, a malicious actor could:
- Take over a vendor’s account, and steal the funds it has on the marketplace.
- Take over a vendor’s account and put up new listings at a very low price to attract many customers looking for a bargain. The actor would then steal the funds, and never deliver on the purchases, thereby ruining the vendor’s reputation.
- Direct a buyer to a phishing site that mirrors a dark web marketplace. The only thing they would change would be the payment information so that the buyer’s funds end up in their wallets instead of the marketplace administrators’.
Because of the sensitive nature of dark web directories, their administrators have put in place significant security measures to securely receive the domains that the marketplaces can be found at. They are also supposed to put in place measures so that their own website is not hacked, and the domain name list is not updated with false information.
Since between April 29th and May 5th, the two largest directories were taken over by hackers, these failsafes have obviously failed. It appears that one or more malicious actors convinced the directories’ registrars to transfer over the control of the domain names. To achieve this, they impersonated German law enforcement and faked a court order. Anyone visiting the directories in the given timeframe was presented with links to phishing sites.
Large Scale Phishing Attack Targets the Dark Web’s Network of Trust
This phishing attack has reached unprecedented levels. In the past, there were countless phishing sites built to lure in unsuspecting dark web marketplace participants. However, this is the first time when a coordinated attack is launched against all major dark web marketplaces.
This hack involves creating multiple sophisticated phishing sites, something that requires a great deal of resources. It also involves hacking two of the largest dark web directories at the same time, and controlling their websites for an extended period of time. These two factors combined suggest that the malicious actors involved are sophisticated individuals, with means and skills.
It is difficult to assess the direct impact of this hack as of now. Still, the dark web marketplace economy is based on the fact that reliable directories will control the flow of participants, and safely direct them to the marketplaces. If these directories cannot be trusted, it will become extremely difficult to connect to dark web marketplaces, which could translate to lower levels of participation and decreased sales.
In its 2021 Report, Chainalysis shows that dark web marketplace sales outside of Russia have been flat for the past 3 to 4 years. With little growth, it is an adverse event such as this one that could actually generate a decrease in the size of dark web marketplaces, rather than the stagnation we have witnessed as of late.
A Shift to Decentralized Platforms
It can be challenging for marketplace administrators to create reliable signals that their visitors are browsing a real site instead of a phishing one. There will therefore always be a significant vulnerability in the current model where directories forward participants to marketplaces. The risks are amplified as participants must visit a directory each time they wish to visit a marketplace. Indeed, that market probably changed its domain name since their last visit, and they therefore need to retrieve the new one to visit it.
Should marketplaces manage to secure a single domain name that remains static for extended periods of time, the need to visit directories would be much lower, and this could help reduce the dark web economy’s reliance on these directories. There have been many proposals for decentralized platforms such as OpenBazaar, which could make it easier to keep a single domain, or to not have to move around the marketplaces as much. Initiatives such as OpenBazaar have so far failed as they are complicated to operate, and searching around them remains a huge challenge.
Still, hacking events that jeopardize the very security of the dark web economy are enough to stimulate innovation. It is likely that in the coming months there could be an increase in the development and innovation of decentralized platforms that are more secure. Our intelligence unit will continue to monitor dark web participants’ chatter to identify these new platforms as they come online, as well as track them in real-time.
