DarkMarket Shut Down by Law Enforcement: New Lessons Learned
Over the weekend, German law enforcement shut down DarkMarket, a dark web marketplace, and arrested its administrator, an Australian living in Europe.
According to the official press release, DarkMarket had:
- almost 500,000 users;
- more than 2,400 sellers;
- over 320,000 transactions;
- more than 4,650 bitcoin and 12,800 monero transferred for a total of CAD$217 million in sales.
This is a significant police operation, as DarkMarket was believed to be the second biggest dark web market, after the Hydra marketplace in Russia. The police have yet to announce if more arrests are to follow, what information was discovered during the seizure, and what led to the arrest of the administrator. As always, we will probably need to wait for an eventual trial to learn more about the case.
Reactions from the criminal underground
Many dark web market participants appear to be tired of the constant launch and shut down of dark web markets. Each time a new market opens, vendors need to contact the administrators to have their past sales activity recognized, set up their shop, create new listings and advertise their presence on forums. This explains why many vendors are turning to alternatives such as Telegram and Televent.
Other dark web markets are competing to welcome DarkMarket refugees that have not moved on from the Tor network. Markets offer to waive the normal fees for registering a vendor account for those that can prove they were selling on DarkMarket.
It is in these troubled times that market aggregators step in to protect activity history from the market that was shut down. The two largest aggregators, Kilos and Recon, are offering to help vendors transition to a new market, and to help customers connect with their vendors if they have open orders and money in escrow.
It is too soon to identify the winners and losers following DarkMarket’s demise. Similarly to how we evaluated the shut down of Empire Market, in a few weeks we will provide an updated chart of where dark web users have moved to. For now, a lot of market participants are claiming to be moving to the White House Market, another large dark web marketplace.
Another interesting trend is the use of single vendor shops. These are small websites, hosted on the Tor network, where the administrator is also the sole vendor. Single vendor shops offer direct sales to vendors, and, while rare, are growing in importance.
As with all market shut downs, a lot of rumours circulate around how the market was shut down, and what is to blame for the situation. In this case, there were massive denial of service attacks against the Tor network, which have been associated with law enforcement infiltration in the past. Dark web users would not explicitly comment on how the two are connected, but denial of service attacks could force some web services to connect through the clear web to other servers, enabling law enforcement to locate them more easily.
Lessons learned from DarkMarket’s demise
Following this latest law enforcement operation, we have noticed a few trends worth highlighting.
Market participants are prepared for market shut downs
As soon as the news was made public, numerous threads were created on dark web forums to discuss the event, its implications, and how best to react. Facilitators posted messages offering to help those less accustomed to dealing with market shut downs, and large vendors posted messages on where to reach them.
Past research has found that not only do police operations have limited impact on the criminal underground, but that participants adapted quite fast. We should therefore not expect a long lasting impact on the remaining dark web markets.
Market administrators are veterans from dark web markets
Even though the market administrator’s identity was revealed, the method to identify him remains unknown. Still, market participants have theories that the identity had been known for quite some time, possibly from seizures of other dark web markets. This means that police probably have, in this seizure, significant information about the administrators of the next big dark web markets. Additionally, it means that dark web markets are not isolated ecosystems, but rather interconnected economies that can be leveraged to better understand one another.
Bitcoin is no longer the only cryptocurrency of the criminal underground
Known as anonymous cryptocurrency, Bitcoin actually leaks a good amount of information about its users because of its public ledger. This is why Monero, another cryptocurrency with a private ledger, is rising in popularity on the criminal underground. The statistics on market sales make it difficult to properly assess what percentage of sales were made in Monero versus Bitcoin. A quick back of the envelope calculus suggests that Monero payments represented about 2% of all DarkMarket sales. This may not represent much, but the White House Market, which is likely to take over DarkMarket’s place, only accepts payments in Monero.
Dark web market administrators have not learned from past operational security mistakes
The press release issued by German police indicates that the administrator was living in Europe, and that the servers were hosted in Ukraine and Moldova. This is a repeat of past markets, where the administrators and their servers were in locations they could easily be arrested and seized in. This is somewhat surprising, as we would have expected market administrators to learn from past police operations, and make sure that they would relocate to countries where their arrest would be more difficult.
Given the current practices of market administrators, we should expect law enforcement to maintain their ability to monitor and crack down on markets. From past seizures, they have significant information on who the next administrators are likely to be, and their investigation targets are likely to be living close to them. We will continue to report on the changes in dark web marketplaces in the coming weeks, and share what we learn about market adoption by the criminal underground.